-------- Original Message -------- Subject: Re: [Alug] (RedHat) rsync-2.4.6-8 Update BROKEN Date: Fri, 01 Feb 2002 16:22:28 +0000
MJ Ray quoth:
James:
I handed out a CD containing updates with this broken rsync on it at an ALUG meeting, so in this instance I had a responsibility to warn the recipient,
[...]
Yes, in this case it probably was a good idea. In general, though, security alerts are best handled by people who can actually verify them. If you're relying on unsigned messages to open ALUG lists, you've got serious security problems already.
Quite. Sadly, few people even bother to check digital signatures, _and_ make sure that they maintain keys from trusted sources. I make sure that files with MD5 signatures were there on personal CD compilations, but that is only a file corruption check - *not* an authenticity guarantee. Authenticity checking is an unwelcome overhead at times, but I expect no-one to place absolute trust in any open source packages passed on by me. Nor should they.
In general, I beg everyone here to sign up to a security alert service from their service company, distributor or a recognised authority.
Valuable advice. And for high threat/value situations, don't necessary trust single sources of advice. Seek corroboration from multiple sources where possible, and be aware of their interdependancies, if any.
I am certainly aware that job posting announcements, *any* announcements, posted "blind" to this list are likely to raise the noise level to unacceptable levels.
Not guilty.
More generally, we must all take responsibility for our own security; the list cannot do that for us. If you disagree that my full posting of the security notice for rsync was on topic (because of the CD I distributed, and other directly related postings) - then I am sorry for wasting your time. But I gave the matter careful consideration before adding ALUG and pressing the "send" button, I can assure you.
It closed the matter on broken rsync's floating around out there; rsyncs that may damage data resources you *thought* were personally mirrored. And it proves that any distribution is just as likely as another to circulate dodgy code from time to time. Poetic justice, (as well as bad timing) that my 020126 RedHat update CD circulated a broken rsync just after I asked for feedback about the Debian one :-(
Just done to raise awareness. Not start a flame war, or religious feud over whose distribution is the most worthy. They are all Linux, and all better than proprietary alternatives, where you don't get to know about bugs and security hazards until they eat you alive.
--James