On Saturday 15 May 2010 22:07:44 Robert Klotzner wrote:
> There is a reason why things like selinux are developed.
http://en.wikipedia.org/wiki/Discretionary_Access_Control
http://en.wikipedia.org/wiki/Mandatory_access_control
Yes. The design of Unix permissions is based on the DAC principle, al
On Mon, 2010-05-17 at 09:40 -0400, micah anderson wrote:
> RFC 5081 is still quite a while off from widespread adoption. When it is
> more widely adopted, we will be in a much better situation, until then
> the monkeysphere is operating as an interim translation step (keeping
> the on-the-wire prot
On Mon, 17 May 2010 08:25:50 +, Christoph Anton Mitterer
wrote:
> On Mon, 17 May 2010 00:12:56 -0400, Micah Anderson
> wrote:
> > Can you clarify what you mean by "standardised technology"? I work on
> > the monkeysphere project, and from my point of view, I'd have to
> > disagree with you,
On Mon, 17 May 2010 00:12:56 -0400, Micah Anderson
wrote:
> Can you clarify what you mean by "standardised technology"? I work on
> the monkeysphere project, and from my point of view, I'd have to
> disagree with you, but I may not understand what you mean.
What I mean was simply something that is
Christoph Anton Mitterer writes:
> On Sat, 2010-05-15 at 21:01 +0800, Paul Wise wrote:
>> You might be interested in monkeysphere
> ...and in RFC 5081
> I haven't had a detailed look on monkeyspehre so
> far, but it seemed at a first glance, that it does not use
> standardised technology, does
Christoph Anton Mitterer writes:
> On Sat, 2010-05-15 at 21:01 +0800, Paul Wise wrote:
>> You might be interested in monkeysphere
> ...and in RFC 5081
>
> I haven't had a detailed look on monkeyspehre so far, but it seemed at a
> first glance, that it does not use standardised technology, does it
]] Christoph Anton Mitterer
(Please respect my mail-followup-to, there's no need to Cc me on lists
which I read. It'd also make your mails more readable if you leave a
blank line between what you quote and your reply.)
| On Sat, 2010-05-15 at 09:04 +0200, Tollef Fog Heen wrote:
| > You can make
On 05/15/2010 02:00 AM, Robert Klotzner wrote:
> Also as far as I understood from a previous post, this change will only
> affect
> new installations, not existing ones. So even if a user misunderstood the
> concept and added other users to his private group, this change does not
> affect
> hi
On Sat, 2010-05-15 at 21:01 +0800, Paul Wise wrote:
> You might be interested in monkeysphere
...and in RFC 5081
I haven't had a detailed look on monkeyspehre so far, but it seemed at a
first glance, that it does not use standardised technology, does it?
Cheers,
Chris.
smime.p7s
Description: S/
On Sat, May 15, 2010 at 12:53:30PM +0200, Christoph Anton Mitterer wrote:
> On Fri, 2010-05-14 at 22:22 -0700, Russ Allbery wrote:
> > These are really odd complaints to bring against Debian given that these
> > are not Debian issues. Firefox, for example, works exactly the same way
> > everywhere
On Sat, May 15, 2010 at 8:34 PM, Eray Aslan wrote:
> Amen. PKI is a naive design and for all intents and purposes will
> remain a pipe-dream. All security relationships that is worth anything
> is bilateral and no trusted third party is willing to accept enough risk
> to warrent full trust.
>
On 15.05.2010 08:24, Russ Allbery wrote:
> Christoph Anton Mitterer writes:
>> And personally, I really do _not_ trust some of the CAs which are
>> included/enabled per default.
>
> Having done business with several of them, I don't trust any commercial
> CA. This is a way more fundamental probl
On Saturday 15 May 2010 13:47:43 Christoph Anton Mitterer wrote:
> On Sat, 2010-05-15 at 13:22 +0200, Michael Biebl wrote:
>
> It just shows how such stuff can completely undermine security, and one
> even haven't thought that this would possible.
This applies to any change you make to a piece o
On Sat, 2010-05-15 at 13:22 +0200, Michael Biebl wrote:
> And why do you think this is a Debian specific problem is completely beyond
> me.
>
> This was an upstream bug, found by a fellow DD, and the quickly communicated
> to
> upstream and fixed there.
> I honestly don't see how you can blame D
* Christoph Anton Mitterer [100515 13:29]:
> On Sat, 2010-05-15 at 13:22 +0200, Bernhard R. Link wrote:
> > Sorry, adding one user to the group of another is almost as stupid as
> > adding a script in /etc/cron.daily writeable by some user.
> If the user who owns the group allows it? What else sho
On 15.05.2010 12:53, Christoph Anton Mitterer wrote:
> udisks should have probably not exported the dm-crypt keys to normal
> users, but it did.
And why do you think this is a Debian specific problem is completely beyond me.
This was an upstream bug, found by a fellow DD, and the quickly communi
On Sat, 2010-05-15 at 13:22 +0200, Bernhard R. Link wrote:
> Sorry, adding one user to the group of another is almost as stupid as
> adding a script in /etc/cron.daily writeable by some user.
If the user who owns the group allows it? What else should I do in your
opinion?
Cheers,
Chris.
smime.p
* Christoph Anton Mitterer [100515 12:53]:
> > If regular users can add other people to groups on your system, you have
> > way more serious security problems than user-private groups, and those
> > security problems are not created by Debian.
> Of course I talk about having this done by root.
> I
On Sat, 2010-05-15 at 09:04 +0200, Tollef Fog Heen wrote:
> You can make that argument for just about all the daemons that are
> shipped in the distro.
Yes :)
> Should ssh not start by default or just listen
> to localhost for instance?
Personally,... I'd prefer the listen to localhost only (per
On Fri, 2010-05-14 at 22:22 -0700, Russ Allbery wrote:
> These are really odd complaints to bring against Debian given that these
> are not Debian issues. Firefox, for example, works exactly the same way
> everywhere. What do you want Debian to do, write our own web browser?
> There are limits to
> You need to explain clearly how the umask of 0002 is insecure. If you
> have members in your user private group, then your group isn't private,
> is it? UPG is designed to NOT have anyone else in your group except you.
> So, adding the write bit on the group mode does not affect security in
> the
Christian PERRIER wrote:
> Quoting Russ Allbery (r...@debian.org):
>> >> you must not understand how user-private groups work at all
>> > Well I guess I do,...
>> Given your complaints, actually, you don't appear to.
[...]
> Is there a mail in this thread that would explain all this?
[...]
ht
]] Christoph Anton Mitterer
| > Judging from the changelog of portmap, there's been a *lot* of discussion
| > and angst over this decision over the years, and it wasn't one that was
| > made easily. I think you're overstating this a bit as an example of a bad
| > direction.
|
| Yes,.. but why "o
Quoting Russ Allbery (r...@debian.org):
> >> you must not understand how user-private groups work at all
>
> > Well I guess I do,...
>
> Given your complaints, actually, you don't appear to.
Is there a mail in this thread that would explain all this?
From your own words, it seems that most ne
On 05/14/2010 06:40 PM, Klaus Ethgen wrote:
> Oh, I will not make any more comment to that decision. Maybe I will
> search for a more secure distribution. This decision is much to much.
> And it is the last straw that breaks the camels back. Debian was was my
> favorite distribution for over ten ye
Christoph Anton Mitterer writes:
> Another nice (IMHO) example are the X.509 that are shipped per default
> in several places (Mozilla NSS, ca-certificates).
> Per default all of them are enabled... right?
> Mozilla recently proved that they are not really able to manage they
> cert store gi
Christoph Anton Mitterer writes:
> - Many packages contain code which does things that is questionable from
> a security point of view:
> 1) Some of them download and install data from the web (fonts, sun jdk
> doc, firmware, etc.) but do not verify them, therefore bypassing
> Debian's great sec
On Sat, 2010-05-15 at 03:32 +0200, Andreas Marschke wrote:
> In that case why dont we as security aware people and people that think that
> more hardened defaults should be applied,
I think we (Debian as a collective) does apparently not think so, which
is probably _not_ specifically proven by tha
Am Samstag 15 Mai 2010, 02:55:40 schrieb Christoph Anton Mitterer:
> On Fri, 2010-05-14 at 17:16 -0700, Russ Allbery wrote:
> > Why do you have this strong of a reaction to this change?
>
> Because it shows - what I consider to be a - trend in Debian recently
> that security dying more and more (a
On Sat, 2010-05-15 at 02:55 +0200, Christoph Anton Mitterer wrote:
> - Many packages ship with configuration that is either really insecure
> or that could be at least hardened a lot.
Another nice (IMHO) example are the X.509 that are shipped per default
in several places (Mozilla NSS, ca-certifica
On Sat, 2010-05-15 at 02:18 +0200, Stefano Zacchiroli wrote:
> Guys, IMHO you really need to stop ranting contentlessly. Either you
> reply to the technical arguments in favor of the change that have been
> made (e.g. by Russ Allbery in this thread, to which you carefully
> avoided to reply thus f
On Fri, 2010-05-14 at 17:16 -0700, Russ Allbery wrote:
> Why do you have this strong of a reaction to this change?
Because it shows - what I consider to be a - trend in Debian recently
that security dying more and more (again, I do not mean the work of the
Security Team).
- Debian does not ship wi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Am Sa den 15. Mai 2010 um 1:18 schrieb Stefano Zacchiroli:
> On Sat, May 15, 2010 at 01:57:05AM +0200, Christoph Anton Mitterer wrote:
> > Klaus Ethgen wrote:
> > > A black day in the security of Debian. Well.. One more.
> > Absolutely true,... :-(
On Sat, May 15, 2010 at 01:57:05AM +0200, Christoph Anton Mitterer wrote:
> Klaus Ethgen wrote:
> > A black day in the security of Debian. Well.. One more.
> Absolutely true,... :-(
Guys, IMHO you really need to stop ranting contentlessly. Either you
reply to the technical arguments in favor of t
Christoph Anton Mitterer writes:
> Now that we have Ubuntu as competitor, which is nicely coloured and
> where everything "just works", let's try to imitate (and integrate
> Ubuntu stuff) as much as possible.
> Or even better,... let's use Windows as archetype.
> Why don't we add any user to th
Klaus Ethgen wrote:
> A black day in the security of Debian. Well.. One more.
Absolutely true,... :-(
Now that we have Ubuntu as competitor, which is nicely coloured and
where everything "just works", let's try to imitate (and integrate
Ubuntu stuff) as much as possible.
Or even better,... let's
36 matches
Mail list logo
