James:
I handed out a CD containing updates with this broken rsync on it at an ALUG meeting, so in this instance I had a responsibility to warn the recipient,
[...]
Yes, in this case it probably was a good idea. In general, though, security alerts are best handled by people who can actually verify them. If you're relying on unsigned messages to open ALUG lists, you've got serious security problems already.
In general, I beg everyone here to sign up to a security alert service from their service company, distributor or a recognised authority.
-------- Original Message -------- Subject: Re: [Alug] (RedHat) rsync-2.4.6-8 Update BROKEN Date: Fri, 01 Feb 2002 16:22:28 +0000
MJ Ray quoth:
James:
I handed out a CD containing updates with this broken rsync on it at an ALUG meeting, so in this instance I had a responsibility to warn the recipient,
[...]
Yes, in this case it probably was a good idea. In general, though, security alerts are best handled by people who can actually verify them. If you're relying on unsigned messages to open ALUG lists, you've got serious security problems already.
Quite. Sadly, few people even bother to check digital signatures, _and_ make sure that they maintain keys from trusted sources. I make sure that files with MD5 signatures were there on personal CD compilations, but that is only a file corruption check - *not* an authenticity guarantee. Authenticity checking is an unwelcome overhead at times, but I expect no-one to place absolute trust in any open source packages passed on by me. Nor should they.
In general, I beg everyone here to sign up to a security alert service from their service company, distributor or a recognised authority.
Valuable advice. And for high threat/value situations, don't necessary trust single sources of advice. Seek corroboration from multiple sources where possible, and be aware of their interdependancies, if any.
I am certainly aware that job posting announcements, *any* announcements, posted "blind" to this list are likely to raise the noise level to unacceptable levels.
Not guilty.
More generally, we must all take responsibility for our own security; the list cannot do that for us. If you disagree that my full posting of the security notice for rsync was on topic (because of the CD I distributed, and other directly related postings) - then I am sorry for wasting your time. But I gave the matter careful consideration before adding ALUG and pressing the "send" button, I can assure you.
It closed the matter on broken rsync's floating around out there; rsyncs that may damage data resources you *thought* were personally mirrored. And it proves that any distribution is just as likely as another to circulate dodgy code from time to time. Poetic justice, (as well as bad timing) that my 020126 RedHat update CD circulated a broken rsync just after I asked for feedback about the Debian one :-(
Just done to raise awareness. Not start a flame war, or religious feud over whose distribution is the most worthy. They are all Linux, and all better than proprietary alternatives, where you don't get to know about bugs and security hazards until they eat you alive.
--James
Hi all, Just going to join the fray, I appreciate the information from James, being the recipient of the update. I agree on the point about not posting security updates, but, however common decency would suggest that if some software has been passed on that is found to have security issues then making sure the recpient and other possible recipients of the software are aware and informed...
James I believe was doing "the right thing" and I feel having a go at the guy for being informative is bad form... Fair enough, some of you may disagree and everyone is entitled to their own points of view... I was under the impression that an open community was somewhere the passage of information is accepted and not quashed.. If one informative e-mail can get someone flamed, the what is the world coming too? ...
I'm sure that everyone has at sometime sent an e-mail that others have read about before without getting this sort of reaction.
</RANT>
Simon
On Friday 01 Feb 2002 8:46 pm, you wrote:
-------- Original Message -------- Subject: Re: [Alug] (RedHat) rsync-2.4.6-8 Update BROKEN Date: Fri, 01 Feb 2002 16:22:28 +0000
MJ Ray quoth:
James:
I handed out a CD containing updates with this broken rsync on it at an ALUG meeting, so in this instance I had a responsibility to warn the recipient,
[...]
Yes, in this case it probably was a good idea. In general, though, security alerts are best handled by people who can actually verify them. If you're relying on unsigned messages to open ALUG lists, you've got serious security problems already.
Quite. Sadly, few people even bother to check digital signatures, _and_ make sure that they maintain keys from trusted sources. I make sure that files with MD5 signatures were there on personal CD compilations, but that is only a file corruption check - *not* an authenticity guarantee. Authenticity checking is an unwelcome overhead at times, but I expect no-one to place absolute trust in any open source packages passed on by me. Nor should they.
In general, I beg everyone here to sign up to a security alert service from their service company, distributor or a recognised authority.
Valuable advice. And for high threat/value situations, don't necessary trust single sources of advice. Seek corroboration from multiple sources where possible, and be aware of their interdependancies, if any.
I am certainly aware that job posting announcements, *any* announcements, posted "blind" to this list are likely to raise the noise level to unacceptable levels.
Not guilty.
More generally, we must all take responsibility for our own security; the list cannot do that for us. If you disagree that my full posting of the security notice for rsync was on topic (because of the CD I distributed, and other directly related postings) - then I am sorry for wasting your time. But I gave the matter careful consideration before adding ALUG and pressing the "send" button, I can assure you.
It closed the matter on broken rsync's floating around out there; rsyncs that may damage data resources you *thought* were personally mirrored. And it proves that any distribution is just as likely as another to circulate dodgy code from time to time. Poetic justice, (as well as bad timing) that my 020126 RedHat update CD circulated a broken rsync just after I asked for feedback about the Debian one :-(
Just done to raise awareness. Not start a flame war, or religious feud over whose distribution is the most worthy. They are all Linux, and all better than proprietary alternatives, where you don't get to know about bugs and security hazards until they eat you alive.
--James
main@lists.alug.org.uk http://www.anglian.lug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
-
James -
MJ Ray -
Simon