1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Re: the sanesecurity configuration is not suitable for a release

    From Scott Kitterman@21:1/5 to md@linux.it on Fri Feb 16 09:17:40 2024
    On Thu, 8 Feb 2024 19:35:50 +0100 Marco d'Itri <md@linux.it> wrote:
    Source: fangfrisch
    Version: 1.7.0-1
    Severity: grave
    Tags: upstream

    Control: forwarded -1 https://github.com/rseichter/fangfrisch/issues/30

    The sanesecurity section of default configuration, if enabled, relies on
    an unofficial HTTP mirror which is seriously overloaded and probably seriously expensive for their operators, since it is located in
    Australia.
    The only other known HTTP mirror is mentioned on https://wiki.gentoo.org/wiki/ClamAV_Unofficial_Signatures, with a vague
    note about it being available to the public.

    Until fangfrisch will implement rsync support, I do not think that it is
    safe to include fangfrisch in a Debian release due to the possible
    effect on unsuspecting third party mirrors.

    This has also been discussed upstream: https://github.com/rseichter/fangfrisch/issues/30

    I don't know that I'd call this fixed upstream, since the package is not directly using rsync, but the fact that he's now rsyncing from sanesecurity
    and running his own mirror is progress (that only person he can DoS is
    himself) is progress.

    If we update to 1.8.0, I don't think we should mark this bug done, but it
    might be reasonable to change the severity to Important. What do you think?

    Scott K
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmXPboQACgkQeNfe+5rV mvFV/BAApc959J/Av/MMrbBYLU7B9M2gGJXryz/z/1rGFvYRrsK6DZCwaloodXNu EqMJwZm1B627hwTSpRW7lrRadokMbOlC71Wi1A0V3Il7PgIrUqJulISbPXNoN9Ps lez+koUCoLULf5R7sBin/12XjC/ZHjCZOH12CZ8ZOTd9j9xuW1i2bI/ICCDUjChB /dezUxyC3z2azKdSLn8Jvu8kXFkZKDrvBfSABUJgKyef8fJOK//cl4Q9iOLui8Ej LAk3PY4+ykulZfzNV6/wL60q4FkKJrehMX3dlxYJyE82SdeU/l2vXSbM4kEN0nEv Pgb2D/cvqT5et73HADqQ2DnA9tJNo9E+I7/JP92UOlohclRKrUA9y30HmjmQLqNW BO0VX+HCpBPrPowEApJ7gA3YzuPQFFTR867U+1VUH3Kcl+60nxGaX3PkA/wHCXsQ jQhIdsS2WkG9+GG7kBU41ILy1FdlX+0Y5FrtkXKGy/g8GE3HomgOnUzTG0Z92gQE S1aZNRVBr0kJpprIpZzrJVCvs8BzuwGyfQvkupszGWWg/SkdWh8oQLLeQR1xy0Mi gWsvDzmGrfFTjKmUzyA+LIgTy56KNW5fzqSFju8lt9pj3AKxkATkC1VvKOwldz0S W7vraUcgw8VFo8qFru2ImlO1GyprHzmMDspq/zs67m0xshgbCq8=
    =lkG0
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Scott Kitterman@21:1/5 to All on Sat Feb 17 13:05:01 2024
    On Fri, 16 Feb 2024 09:17:40 -0500 Scott Kitterman <debian@kitterman.com> wrote:
    On Thu, 8 Feb 2024 19:35:50 +0100 Marco d'Itri <md@linux.it> wrote:
    Source: fangfrisch
    Version: 1.7.0-1
    Severity: grave
    Tags: upstream

    Control: forwarded -1 https://github.com/rseichter/fangfrisch/issues/30

    The sanesecurity section of default configuration, if enabled, relies on
    an unofficial HTTP mirror which is seriously overloaded and probably seriously expensive for their operators, since it is located in
    Australia.
    The only other known HTTP mirror is mentioned on https://wiki.gentoo.org/wiki/ClamAV_Unofficial_Signatures, with a vague note about it being available to the public.

    Until fangfrisch will implement rsync support, I do not think that it is safe to include fangfrisch in a Debian release due to the possible
    effect on unsuspecting third party mirrors.

    This has also been discussed upstream: https://github.com/rseichter/fangfrisch/issues/30

    I don't know that I'd call this fixed upstream, since the package is not directly using rsync, but the fact that he's now rsyncing from sanesecurity and running his own mirror is progress (that only person he can DoS is himself) is progress.

    If we update to 1.8.0, I don't think we should mark this bug done, but it might be reasonable to change the severity to Important. What do you think?

    Upon further reflection, I'm going to mark this as done in 1.8.0. The specific issue raised in the bug is resolved. Direct support for rsync would be
    better, but I think we've cleared this particular hurdle for releasability.

    Scott K
    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEE53Kb/76FQA/u7iOxeNfe+5rVmvEFAmXQ9U0ACgkQeNfe+5rV mvHagA/+NmHIy4ME5T1VwNpOIFDP/a0T8Vf1Q3iYuwvpbXDlrxssQH0h6LO+v0LJ 3nS9Z59pdIOVM5jGsa3Z2J9ZAhGHBmC9PznQQyOY9GsiKZ8bZDplAKesAOE34BjA 7NgPhlpD+nLx0zCMmni7/tlaclMtwBE/RdJkuH4p15PtsSsc7ltro4lHHQ2ohOw4 kpj9BNkGNaCFBCKS0gGpt1tiWH9QvrlayaWq3ckblm98brHQTpMGIueHHspDTcDJ 6BM9p+lGyVmQzuOthbBe17rMKIrVNEXgM9MzQ6gEupBmMXLI5ue8qa3wo8aIlD0N Gz01Sdd3L7eOtlvD36YvLNyuMtTB62i3BxZ5cpzyhE2SkxKtpblAqvwwE3J3lcNE tukRab+BPl6kEhtnPRa2k0hCx55IAAhzCXoxjIQFn0APGpvlnAV3+zZ1osUeYetK a8gm18QjqwncEBxeEVYM3NLyNjk4d4BBNKRWQN4Ymx1CWUZBFFl2vmvyp00fLrl1 49TdzRXD5DpWiWBNiSGfQQqvLdNchyR5l6/mNqxvHwyzcdhj/CsKPjCKEm437nlI sh1qxXENCAE/OacvF+67aWPdYKfcUDO+sktxn0qxpicOV+vv9fkmBU80QbYxFkmX 7eg4htHWri4QCdeaO3t6SFHpu1iKBmibf+vzElgrqqw2RQf4YW4=
    =UMWq
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)