--Apple-Mail-D8940E8A-0693-4018-9094-606421E55C26
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Thorsten Alteholz <ftpmaster@ftp-master.debian.org>
Date: March 22, 2024 at 20:00:15 GMT+1
To: Gürkan Myczko <tar@debian.org>
Subject: ruptime_1.4-1_amd64.changes REJECTED
Hi,
after a short glimpse even I already found some issues with this software:
If you install ruptime.key as described in README.md, you will get a world readable key file.
As this is a symmetric key, everyone who has access to the key on one machine can forge messages on every other machine.
I would not say that this can be called "encrypted messages" at all.
It uses mcrypt in version 2.6.8 which is from 2009. It uses CBC as default encryption algorithm.
Nowadays this is no longer recommended to use.
Doing something like
echo "/*/*/*/*/*/* asd" |nc localhost 51300
for each core of your ruptimed server makes it really busy.
There is no check, no ACL, nothing to prevent this.
This software might be nice, but there is still some work to do.
Thorsten
===
Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our concerns.
--Apple-Mail-D8940E8A-0693-4018-9094-606421E55C26
Content-Type: multipart/related;
type="text/html";
boundary=Apple-Mail-CB4F9029-AA2F-4B53-AFD4-2E45EE805D87 Content-Transfer-Encoding: 7bit
--Apple-Mail-CB4F9029-AA2F-4B53-AFD4-2E45EE805D87
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><div><br></div></div><blockquote type="cite"><div dir="ltr"><b>From:</b> Thorsten Alteholz <
ftpmaster@ftp-master.debian.org><br><b>
Date:</b> March 22, 2024 at 20:00:15 GMT+1<br><b>To:</b> Gürkan Myczko <
tar@debian.org><br><b>Subject:</b> <b>ruptime_1.4-1_amd64.changes REJECTED</b><br><br></div></blockquote><blockquote type="cite"><div dir="ltr"><span></span><br><span>Hi,</
span><br><span></span><br><span>after a short glimpse even I already found some issues with this software:</span><br><span></span><br><span> If you install ruptime.key as described in README.md, you will get a world readable key file.</span><br><
span> As this is a symmetric key, everyone who has access to the key on one machine can forge messages on every other machine.</span><br><span> I would not say that this can be called "encrypted messages" at all.</span><br><span></span><br><
span> It uses mcrypt in version 2.6.8 which is from 2009. It uses CBC as default encryption algorithm.</span><br><span> Nowadays this is no longer recommended to use.</span><br><span></span><br><span> Doing something like</span><br><
span> echo "/*/*/*/*/*/* asd" |nc localhost 51300 </span><br><span> for each core of your ruptimed server makes it really busy.</span><br><span> There is no check, no ACL, nothing to prevent this.</span><br><span></span><br><
span>This software might be nice, but there is still some work to do.</span><br><span></span><br><span> Thorsten</span><br><span></span><br><span></span><br><span></span><br><span>===</span><br><span></span><br><span>Please feel free to
respond to this email if you don't understand why</span><br><span>your files were rejected, or if you upload new files which address our</span><br><span>concerns.</span><br><span></span><br></div></blockquote></body></html>
--Apple-Mail-CB4F9029-AA2F-4B53-AFD4-2E45EE805D87
Content-Type: application/octet-stream;
name=mime-attachment;
x-apple-part-urlWB139E2-7A3D-48C0-8CEF-B2921D359F2E Content-Disposition: attachment;
filename=mime-attachment
Content-Transfer-Encoding: 7bit
Content-Id: <57B139E2-7A3D-48C0-8CEF-B2921D359F2E>
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCZf3VOQAKCRCb9qggYcy5 IfO4AQDQQJxe48FdslTiPlsR0K/HmMwZCtleLdot3L9ZzulFbwEAjIGvezRQTLBd uKTlVDu1D6bF5o+viyFVAEqPeedBrg8=
=FALx
-----END PGP SIGNATURE-----
--Apple-Mail-CB4F9029-AA2F-4B53-AFD4-2E45EE805D87--
--Apple-Mail-D8940E8A-0693-4018-9094-606421E55C26--
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)