Slashdot Mirror

the reason I'm not using redhat is stability. M10 is nice and stable as a desktop. I'm not going to waste my time using a V1.0 (fedora) product.

I've got to agree M10 has done a good job on the desktop. it just works. plus theres a decent supply of documentation

I'm sure grsecurity is nice, but today it exists as a set of patches to the vanilla kernel only. The only distros that supports it is Adamantix and Gentoo (part of Hardened Gentoo). Other widely used distros like RedHat, SuSE and Mandrake does not.

...in those attacks, like they have in the numerous Microsoft leaks. Imagine the strife we'd be in if they stole the source to Debian!

But seriously, how shall I put this? ChkRootKit, TripWire, AIDE, FICC, ProSum, Toby, msec, Nessus, LSAT, Saint, LIDS and of course if you want totally proactive, try SELinux, Medusa DS9 or OpenWall. That's hardly an exhaustive list, but it does hit many of the highlights. Boy, youse bin livin in a monoculture too damn long!

they're for mdk 10.0, not 9.2. Probably that wouldn't work.

You didn't say you wanted 9.2. The 9.2 ISOs have *just* been removed to make place for the 10.0 ISOs, but a number of mirrors will probably still have the 9.2 ISOs that have been publicy available for 5 months.

(same thing applies for your two other points)

Yes, all freely-licensed software in the distribution is available publicy.

where do I get a free, stable, mdk-modified kernel for 9.2 ?

ftp://mandrake.contactel.cz/Mandrake/9.2/i586/Mand rake/RPMS/kernel-2.4.22.10mdk-1-1mdk.i586.rpm
(or on any of the other Mandrake mirrors - where they have been for over 5 months). And, it's trivial to set the distro up to install packages from the network, unlike many other "commercial" distros (I'm fighting with this on a Redhat box inside a heavily firewall network ... with things that are trivial on Mandrake).

But I don't want to *subscribe* to anything because it diminishes my freedom to switch to another distro whenever I want to - hence it diminishes the level of concurrence between the various distros.

No one is forcing you to subscribe. They are just making it attractive, so that they can pay their rent.

Even in the case of patched (hence nonstandard) sources, only standard patches should be used, ie patches available for any distro.

All patches are visible in the SRPM and in Mandrake packaging CVS.

If you want to have broken software (ie some software doesn't compile with gcc-3.2 out-the-box, some perl packages were broken by perl-5.8.2), insist on this. If you want software that actually works out-the-box for everyone, patches are essential. We don't patch software for fun. We patch software to add features or bugfixes that we feel are necessary.

it prevents you from truly learning gnulinux

Has Mandrake has installed a patch which prevents vi from editing a config file? Or, maybe removed the man pages? Or maybe removed documentation?

Get real.

Any linux distro can be used to learn about Linux. It's the user who has to make the choice.

On distros like Slackware you don't have a choice, and that's why it is unproductive to do other things (besides learning the distro) on them.

For example, I much prefer documenting the setup of features that are much more difficult on other distros than spending hours getting basic configuration done.

As I said, you have some misconceptions.

In the past, Samba 3 was available for Mandrake, but support for it was flaky.

As maintainer for Mandrake's samba packages, I take exception to that, considering 9.2 had samba-3.0.0 (granted, 3.0.0 had some isses) available in contrib, and parallel-installable, compiled against MIT kerberos-1.3.x, with mostly integrated smbldap-tools etc etc etc.

Anyway, packages that are 99% like those in 10.0 are also available on the samba mirrors, like:
http://www.samba.org/samba/ftp/Binary_Packa ges/Man drake/RPMS/9.2/
http://www.samba.org/samba/ftp/Bi nary_Packages/Man drake/RPMS/9.1/

Note, they are also compiled to install in parallel so as not to mess up installations for people who might use the urpmi media for 2.2.8a packages and by accident get 3.0.x ...

Anyway, you can install via urpmi (if you have 9.1/9.2 boxen):

# urpmi.addmedia samba-9.2 \
http://www.samba.org/samba/ftp/Binary_Packages/ Man drake/RPMS/9.2/ with hdlist-ldap.cz
# urpmi samba3-server samba3-winbind


Hopefully I will get around to follow-ups of some documentation I did for samba-2.2.x which I think helped bring some cool features to Mandrake users.

Finally, there are also some nice additions (IMHO) to openldap (but one or two minor bugs that need to be fixed still ...). Makes the whole LDAP+Samba PDC and/or NT domain migration almost painless ...

BTW, this post seems to insist on putting a space between the n and d in Mandrake in the URLs ... remove it if it makes it to the page ...

um... perhaps you have never used a system other than Debian?

RedHat uses GPG signing of all the packages they distribute.
Mandrake does as well.
Most RPM-based distros do, for that matter.

Gentoo uses MD5 checksums to insure the integrity of the Portage ebuild packages and source files.

While I am not attempting to play down your suggestions, your assertions that "our package managers ... are not controlled or vetted by a central authority" are blatantly false.

The link to the product lifetime table is right there in the article! Additionally, the link you provided is for an older series of products.

The current lifetable table can be found at http://www.mandrakesecure.net/en/productlifetime.p hp. (Again, this was straight out of the article!)

> Why they didn't provide the link to the table I
> have no idea, but after several minutes (way to
> damn long) of searching here it is: (...)

Did you read the statement?

"Additional information is located at:

# The home of the Mandrake Linux project.
# The home of the "Cooker" community.
# Mandrake Linux's Wiki for Cooker
# MandrakeSoft products
# Official MandrakeSoft product lifetime table
http://www.mandrakesecure.net/en/productlifetime.p hp"

The link you provided is out of date. Read The Fucking Article. There is clearly a link to a much more current lifetime table available HERE!

You forgot you were on Slashdot. Red Hat's EOL policy is evil. Mandrake's similar EOL policy isn't discussed.

Despite financial problems earlier this year, Mandrake Linux has gained big popularity with their latest Linux distributions, and it seems to go quicker now (see distro ranking at distrowatch). They also have been pionneers of "what Red Hat should have done earlier" (release of ISO images, Cooker community...) and are inventing new interesting business models that seem work now (Mandrake Club).

Compared to Red Hat, MandrakeSoft has very small financial capabilities, very low press coverage, but is still growing and attracting a large user and contributor community. Additionally, they now have a full range of products, from the pure desktop product to the clustering solution. They generally have excellent new technologies (URPMI/RPMDrake/dynamic desktop...), excellent support policy (see http://www.mandrakesecure.net) and again with very low ressources. Why? Maybe MandrakeSoft understood something about the Linux community, a way to listen to it carefully (maybe too much sometimes).

Why wouldn't Red Hat trust Mandrake and let them deal with that? Red Hat could certainly buy MandrakeSoft easily, and the "Mandrake" brandname could become the community Red Hat brandname, by merging with Fedora. The "Mandrake" brandname is already very well known and this would be better for Red Hat than trying to impose the new "Fedora" brandname (this could take years).

Mandrake has always been a kind of little brother of Red Hat. They know how to do things Red Hat don't know how to deal with or don't want to do - and now they are profitable with this model. It could turn into a great thing for Red Hat and would help to catch a new big part of Linux users, in particular newcomers, individuals and small corporates, from the Windows world. At the same time this would avoid to frustrate millions of Red Hat users that are now considering a switch to another Linux distribution.

So why wouldn't Red Hat trust Mandrake for the community side of Linux?

Stay away from... Red Hat! Tried to install it on three different machines: 1) installed (mostly) OK 2) X freezed randomely once every minute... 3) the install was not possible (rebooted). I never had such annoying issue with recent Mandrake releases that are excellent for me (in my opinion) for heavy server use and corporate desktop as well. In addition, Mandrake provides excellent and professional updates through http://www.mandrakesecure.net. For free.

And regarding the LG-Cdrom issue, it's a... LG bug (not ATAPI compliant) and other Linux users were affected as well.

No, it just permanently fries LG's cd-roms.

"Most CEOs won't like hearing that their books are being balanced in software not guaranteed to work."

What software is guaranteed to work?

If you buy software from, say, Microsoft or Intuit, there is a company who is saying "Buy this software because we guarantee it will work." Some even have money back guarantees, some try to weasel out of them, but all can be sued if something bad happens. This puts the minds of CEOs and other business leaders at ease because it means that somebody's ass is on the line, or at least that you covered your bases by using a well known or respected company. (Why do you think people buy Solaris when there are many cheaper alternatives?) And, of course, if you buy it and it doesn't work (i.e. on your machine) you can return it.

The GNU Public License, the BSD License, and just about every variation and incarnation of open source licenses states very clearly that the software is not guaranteed or warranteed in any ways. So, basically, you use it at your own risk. This makes business people very leery about using it. Now, many people like myself would argue that problems arise much less frequently then with closed source company bought software, but they do arise. Like, for instance, when the newest version of Mandrake Linux, version 9.2 came out with a bug that destroys certain CD Rom drives.

Now, if that were a Microsoft product, a class action lawsuit would undoubtly be brought to bear on the company, and Microsoft would do something to appease big corporate customers. (Imagine Windows XP eating CDRoms when it came out. Now imagine a pissed off Gateway, Dell, Compaq/HP, etc. sending in a pack of flesh eating lawyers without due compensation.)

BTW. Most CEOs are too busy throwing parties on their 10 million yatchs to worry about software.

Funny. I don't own a single yacht never mind 10 million, and I am a CEO. I also know many fellow CEOs who do not spend all of their time partying on 10 million yachts. See, it's sort of like this. People like me work our asses off for the company. Our life is the company. We also generally own a relatively large percentage of our companies. So when our company does well, we do well. And that's the way it should be. Otherwise, why else would I be willing to stay up working till 12:09 in the morning, and know I have to get up bright and early tomorrow morning?

The other thing people forget, is that there is no backup for the owner of a company. There is no unemployment insurance. I pay for my own medical insurance. And if the guy working for me screws up I do his job or I get in trouble-- because I can't say, oops, sorry, my subordinate screwed up. So we face intense pressure, risk, and work hard. Why shouldn't we be compensated?

As mentioned by earlier posts in this thread, the packet-writing feature in the kernel package seems to be the culprit.

Looking at the listed errata for Mandrake Linux 9.2 here, there does not seem to be a specific fix for this issue. However the Bug Advisory:

MDKA-2003:020 - Updated packages fix various bugs in Mandrake Linux 9.2

found here lists a kernel update, the new package name and version is kernel-2.4.22.18mdk-1-1mdk. Presumably this corrects the bug or disables the specific kernel patch that is suspected of causing the problem. Unfortunately, the descripion of the fixes within the kernel update does not refer specifically to the LG issue, or any general cdrom issue for that matter, perhaps a fix for this is still pending.

As mentioned by earlier posts in this thread, the packet-writing feature in the kernel package seems to be the culprit.

Looking at the listed errata for Mandrake Linux 9.2 here, there does not seem to be a specific fix for this issue. However the Bug Advisory:

MDKA-2003:020 - Updated packages fix various bugs in Mandrake Linux 9.2

found here lists a kernel update, the new package name and version is kernel-2.4.22.18mdk-1-1mdk. Presumably this corrects the bug or disables the specific kernel patch that is suspected of causing the problem. Unfortunately, the descripion of the fixes within the kernel update does not refer specifically to the LG issue, or any general cdrom issue for that matter, perhaps a fix for this is still pending.

The patch was announced by the KDE team on August 18th

Debian had a patch available on August 21st

Mandrake had a patch out on September 9th

RedHat had an update available on December 4th

I was unable to find this particular bug in the security archives of Gentoo, SUSE or Slackware (either they were not vulnerable, or never patched). I was unable to locate any security info on TurboLinux' or Connectiva's sites.

On Microsoft's site, I was unable to locate any security bulletins older than one year.

As Steve Jobs would want, here are the 'Lickable Links':

To centralize auth you can use:

NIS/NIS+ + PAM

OpenLDAP + PAM and More

SAMBA + PAM

Advanced LDAP/Samba

PAM is the way to go

As Steve Jobs would want, here are the 'Lickable Links':

To centralize auth you can use:

NIS/NIS+ + PAM

OpenLDAP + PAM and More

SAMBA + PAM

Advanced LDAP/Samba

PAM is the way to go

to centralize auth you can use :
+ NIS/NIS+ + PAM -> http://www.tldp.org/HOWTO/NIS-HOWTO/index.html

+ OpenLDAP + PAM -> http://www.mandrakesecure.net/en/docs/ldap-auth2.p hp
http://www.skills-1st.co.uk/papers/security-with-l dap-jan-2002/security-with-ldap.html

+ SAMBA + PAM -> http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.h tml
http://www.mandrakesecure.net/en/docs/samba-ldap-a dvanced.php

PAM is the way to go -> http://www.kernel.org/pub/linux/libs/pam/

to centralize auth you can use :
+ NIS/NIS+ + PAM -> http://www.tldp.org/HOWTO/NIS-HOWTO/index.html

+ OpenLDAP + PAM -> http://www.mandrakesecure.net/en/docs/ldap-auth2.p hp
http://www.skills-1st.co.uk/papers/security-with-l dap-jan-2002/security-with-ldap.html

+ SAMBA + PAM -> http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.h tml
http://www.mandrakesecure.net/en/docs/samba-ldap-a dvanced.php

PAM is the way to go -> http://www.kernel.org/pub/linux/libs/pam/

My impression of Linux/Unix systems has always been that each host has it's own set of user accounts and if I have 3 hosts it means that I have to maintain 3 sets of passwords. With NT4/Win2000, my servers share a common userspace so that you only have to maintain a single user account.

And you would have a similar impression if you only deployed individual Windows NT/2k servers ...

Is there something under Linux/Unix that does this?

Unix typcially uses NIS, NIS+ or LDAP, however samba also provides Winbind for using groups and users from a Windows domain.

Plus, samba3 can use LDAP for storing it's account details, making LDAP the best choice for enterprise account management (if anyone was thinking about using NIS ...).

The mandrakesecure.net site has some good articles on setting LDAP and samba (2.2.x with ldap support compiled in) up as a single authentication source.

How easy is it to drop a Samba server into an existing Win2000 network?

With samba3, trivial. With samba-2.2.x, you had to set certain options on the win2k domain controller (due to samba-2.2.x not having AD support).

It is called a "double" standard. To see more examples of the double standard take a quick look here and quickly scan the list for "root compromise". I'm not fingering any particular distro of Linux/*BSD/etc or any particular open source project as much as giving a url for a convenient example that shows that software developed by the open source movement seems to have bugs which can potentially allow a machine to be rooted.

Now go look at Microsoft's security vulnerability list (sorry no URL handy - poke around on technet.microsoft.com) and look for exploits in Microsoft software that can result in gaining local system privileges over the same period of time. You'll see that Microsoft is on pretty even footing although some of its products are more notorious than others for their inherient security flaws.

Last time I touched samba, there were issues joining machines to a domain where I had to manually add LDAP entries for machines, then join them.. Kinda tedious..

<plug>
Implementing a Samba LDAP PDC Setup
and
Implementing Disconnected Authentication and PDC/BDC Relationships Using Samba and OpenLDAP
</plug>

Those two documents cover a setup which will give you a PDC-BDC setup where any member of the right group (adm by default) will be able join machines to the domain without having to pre-make machine accounts.

Also, passwd sync was hell, I ended up writing a password change web CGI that fed values into ldapmodify and smbpasswd to keep passwds in sync, since samba used LM and NT passwd fields within the samba ldap schema.

This can be addressed by using 'pam password change' and ensuring your pam_ldap setup is correct.

The biggest issue that samba-3.0.0 addresses (IMHO) is password expiry, which could be hacked onto 2.2.8a, but not easily ...

Last time I touched samba, there were issues joining machines to a domain where I had to manually add LDAP entries for machines, then join them.. Kinda tedious..

<plug>
Implementing a Samba LDAP PDC Setup
and
Implementing Disconnected Authentication and PDC/BDC Relationships Using Samba and OpenLDAP
</plug>

Those two documents cover a setup which will give you a PDC-BDC setup where any member of the right group (adm by default) will be able join machines to the domain without having to pre-make machine accounts.

Also, passwd sync was hell, I ended up writing a password change web CGI that fed values into ldapmodify and smbpasswd to keep passwds in sync, since samba used LM and NT passwd fields within the samba ldap schema.

This can be addressed by using 'pam password change' and ensuring your pam_ldap setup is correct.

The biggest issue that samba-3.0.0 addresses (IMHO) is password expiry, which could be hacked onto 2.2.8a, but not easily ...

For mandrake users, check out:


http://www.mandrakesecure.net/en/ftp.php

is the official Mandrake announcement.

> What's Debian GNU/Linux problem?

_Certification_. Debian is not certified to run lots of commercial products. And vendors deny to support this configuration.

I don't know why this guy are crying when FreeBSD gets only one year of support, SuSE gets 2 years(with no warranties) and Mandrake one year and a half(only for base packages).

If you need long time life distribution you should paid for it. Enterprise distributions like SuSE and Red Hat get five years of support and Mdk gets three.

But if you are a brave , you can make it yourself. This is Open/Free software ;-)

* Yeah, yeah, Redhat supplies much more than just an OS, its all the apps too. I know, but even a support policy that covered the OS and the 50 most common apps would be an improvement.

Are we also supposed to chant "Mandrake is for newbies, Mandrake is about Ease-of-Use" repeatedly, or has it finally become fashionable to recognize their ties with clueful things like Bastille, Prelude, and other security-related projects?. Sorry, I'm a little behind on my groupthink ;)

Linux is what you make of it, any distribution can be installed and configured to promote ease-of-use, security, maximum customization, and fine-grained control.

Mandrake has issued an advisory for this issue here, although it doesn't appear that the updated RPMs have hit their FTP mirrors yet.

The full advisory for Mandrake can be found at MandrakeSecure.

Moderators note, that posting is from one of the official Mandrake rsync dudes. Everyone check the GPG keys using Mandrake Secure. This advisory was mailed to the mirroring list just a few mins ago with GPG keys.

>>I wouldn't suggest blocking based on osirusoft alone

osirusoft is combining many many rbl. The problem I have with it is osirusoft just seems to include every rbl they can get a hold of. SPEWS specifically seems to generate a lot of false positives. This seems to be because they will block entire netblocks, the administrators can not be contacted, the list is closed, and efforts to try an contact the administrators of the list are often futile as exemplified here It would seem to me that just using one or two "quality" rbl would be just as effective.

Here are some relevant quotes from people posting about their SPEWS blacklisting problems.

"Hi, we are a law firm that bought from UUnet and it seems the last owners
of this IP block were spammer. We're not, can you please remove us."
"Every heard of due diligence? Thats what you get for buying from UUNet,
you'll get unlisted when they clean up all their spammers."

"Hi, we bought from some people who turned out to have a problem with
hosting some spammers, but we're locked into a 3 year contract. We're a
small shop without the money for lawyers to get out of it. We're not
spammers, could you please unblock this one piece of IP which is just us."
"Sorry, you have to change providers. They breached your contract by
failing to provide full internet access (since people are filtering them
based on our listing)"

Here's the advisory with instructions...

The ftp sites in France are usually updated the quickest.

Mandrake Linux has recently opened a new site called MandrakeSecure which is focused on securing a mandrake box.

A recent article posted on MandrakeForum talks about ways to handle SPAM using postfix and qmail. Maybe this can be useful to the larger slashdot crowd?