I guess it's somebody who somehow managed to r00t a poor guy, then realized it was a Debian Developer's box and he could get onto the Debian machines, so he did it. If he would have by chance got access to the passwords of an SCO employee, he probably would have done the same, in case SCO still runs Linux internally. Then again, nobody knows yet, right?
It's ok because it's the kernel that's been exploited; not Debian. wtf?
Nobody says it's OK. This is a serious problem. I was just saying that this problem was not Debian-specific, i.e. it could have happened on any other Box running a (by that time) released Linux kernel, as long as the attacker had local access.
what's Debian without the Linux kernel?
Not much. But note that Debian also works on Debian (GNU/)*BSD and Debian GNU/Hurd, not only Debian GNU/Linux.
So the exploit was known for a long time, and the next kernel version, 2.4.23, came out on 2003-11-28! This is dangerous.
Well, the issue was known for a long time, but apparently nobody thought it was exploitable until now. This is still very much on the edge of bug-handling by Linux upstream I guess.
The timing of the attack (just before the release of 3.0r2)
Joey sent several "preperation of 3.0r2"-mails during the last six months. Things seemed to get a bit more relevent lately, but at least I did not expect an immediate release. And anyway, 3.0r2 ist just a comulative security patch, mostly. Everybody should already have most of the modified packages installed via security.debian.org.
I don't believe the release of 3.0r2 has anything to do with the timing of the attack.
But, whats the point of calling it "r2" if most of the stuff or a lot of it has already been released?
It's called a "Point-Release". The whole point of it is to only collect the security updates and a few critical bug-fixes, so that everybody who will install woody gets a secure system immediatly, without having to upgrade it via security.debian.org.
Which, by the way, are also the versions in testing right now (not sure about X).
Michael
Re:aspell removed for "license problems"?
on
Debian 3.0r2 Released
·
· Score: 2, Insightful
the GFDL-issues are not regarded as critical for woody. Current consensus seems to be that the GFDL should also be ignored for the sarge release, as far as package removals are concerned.
Whatever it was that lead to the removal of aspell, it was *not* the GFDL.
Michael
Re:aspell removed for "license problems"?
on
Debian 3.0r2 Released
·
· Score: 3, Informative
"The license incorrectly says that it's LGPL but it is in fact a unique license which is non-DFSG-free."
That's what the Bug-Report resulting in this removal said (according to the Woody ChangeLog). I don't have any other information about this, sorry. Note that GNU aspell is still in unstable, so perhaps it was about a specific version being non-free in the past, which happened to be included in woody.
Two of the packages apt-get wants me to upgrade---bsdutils and mount---aren't in the list.
bsdutils and mount are both binary packages built by the util-linux source package. The announcement only lists source packages, one of which is util-linux.
I seriously doubt that the Debian team even looked at the available GPL licensed installers before deciding to write their own from scratch.
Please note that the new Debian-Installer was already scheduled for woody, but did not make it in time. Debian then had to rescue the old boot-floppies and get them uptodate, which took about a year, delaying woody significantly (along with various other things). Thus, this "new" installer actually got started at least 2-3 years ago. I honestly don't know whether Anaconda was available back then or what other installers where evaluated. Also note that debian-installer is heavily interweaved with ordinary debian packages and debconf, the standard debian package configuration system, which makes it quite modular and easily maintainable from a Debian point of view.
The actual point of the new debian-installer is that the code of the old one is/was an unmaintainable, monolithic piece of shit that nobody (including its last maintainer) wanted to touch with a pole, much less compile.
The new debian-installer introduces 'microdebs', which are stripped down debian packages for all components. This makes it extremely flexible and modular, as they are built from the same source packages as the according ordinary packages and normal debian archive tools are applied to them. Additionally, the user interface heavily relies on debconf (AFAIK), which makes changing it a matter of writing a new debconf frontend (of which several exist already).
Oh, and it has hardware-detection, btw.
Don't do like dselect does and as soon as they say they want package X, tell them package Y,Z, and Q are required....just let them select it, perhaps as part of the description have the depedencies listed.
That's probably the stupidiest thing I've read in the comments to this article. What do you think 'Depends' are for? (I haven't read them all, of course)
Debian doesn't have the same commercal backing as RedHat (read: $$$). As a result, they lack the manpower to develop multiple installer solutions.
Actually, no, we don't lack the manpower. It's just that not so many developers are interested in a thing they see only a couple of times in their life, if at all. But rejoice, Joey Hess is back on the debian-installer track and stuff is moving along nicely.
"...but due to its modular design the developers can stick almost any front-end on it they like. There are already test builds using a GTK (ie: Gnome-style) GUI with mouse-driven menus etc, and if you really wanted to you could build a front-end using anything from a Braille device to Macromedia Flash."
Note that Mario Lang already has Braille working mostly for the new debian-installer. It needs a bit of hand-work, but works successfully AFAIK.
You're showing a profound lack of clue, given your low/. User-ID.
Debian, who brand their dist as GNU/Linux following the example of the Great Leader, ESR.
That's RMS, of course. ESR is in no way affiliated with GNU.
Debian, who have flame wars on the developers over whether a contribution is free enough.
Those discussions brought us a Free Qt/KDE ensemble and lately a really Free LaTeX. Nobody needs to follow those discussions if he doesn't want to, anyway.
Debian, where 'stable' means two years old.
Woody is less than a year old. But yeah, the next release is not exactly ready to go.
why it hasn't been included into the main branch then?
Because the 'main branch' is 3.0 aka woody aka 'stable' and debian does not introduce stuff like Hardware Detection in Point Releases ala 3.0r2.
Be assured that there will be automatic Hardware Detection in the next stable release (whenever that will be). It has been in the new, still alpha, Installer for months now I think.
Debian Developers usually get humiliated in public if they upload a broken package to unstable without testing it. Of course, this is somehow proportional to the importance of the package, but if a Developer somehow manages to mess up other packages, too, he will have a hard time defending himself.
Bah, just don't read debian-legal then. I sure do not. But please give some kudos to those people who helped get Qt/KDE back on track and most recently made LaTeX truely and unambigously Free Software.
Michael
Re:its too bad Miguel wasn't broad minded.
on
Ximian's Back
·
· Score: 1
Their goal was to accelerate the adoption of Linux as a desktop platform.
Well, that's not entirely accurate.
A worthwhile goal would be to accelerate the adoption of OPEN SOURCE OSes as a desktop platform.
Their goal was a Free desktop Environment for the GNU system (GNOME means GNU Network Object foo Environment). Thus, it was not particularly desígned for Linux, but for any POSIX-compliant OS with X11. Note that the GNU system is Free Software, not Open Source and that GNOME is used by different operating systems (Solaris, GNU/Hurd, probably *BSD), too.
They claim to use APT. APT (as used in Debian) does not offer any security (neither package signatures are verified, nor can you use HTTPS for download).
Checking the integrity of the distribution by using the signatures on the Release file is being taken care of(from IRC):
(walters) azeem: my friend and I are almost done with our apt patch. it works now, we just have to clean it up.
(walters) azeem: individual package signatures is another thing though.
Slashdot Mirror
Yeah, that has been discussed on debian-devel as well. Seems the chances are good that tg3 might get back in, with a patch disabling the firmware.
Michael
Michael
This has been confirmed in an earlier post.
So which individual was sending passwords in the clear?
Exactly how the attacker managed to get the password is unknown so far. It suffices to say that he got the password and thus access to the machines.
And if it's a Debian developer who's done this
There are far easier ways for Debian Developers to mess up Debian. That's why there are the tough entry exams, aka the Debian New-Maintainer process.
Michael
I guess it's somebody who somehow managed to r00t a poor guy, then realized it was a Debian Developer's box and he could get onto the Debian machines, so he did it. If he would have by chance got access to the passwords of an SCO employee, he probably would have done the same, in case SCO still runs Linux internally. Then again, nobody knows yet, right?
Michael
Nobody says it's OK. This is a serious problem. I was just saying that this problem was not Debian-specific, i.e. it could have happened on any other Box running a (by that time) released Linux kernel, as long as the attacker had local access.
what's Debian without the Linux kernel?
Not much. But note that Debian also works on Debian (GNU/)*BSD and Debian GNU/Hurd, not only Debian GNU/Linux.
Michael
Well, the issue was known for a long time, but apparently nobody thought it was exploitable until now. This is still very much on the edge of bug-handling by Linux upstream I guess.
Michael
Joey sent several "preperation of 3.0r2"-mails during the last six months. Things seemed to get a bit more relevent lately, but at least I did not expect an immediate release. And anyway, 3.0r2 ist just a comulative security patch, mostly. Everybody should already have most of the modified packages installed via security.debian.org.
I don't believe the release of 3.0r2 has anything to do with the timing of the attack.
Michael
It's called a "Point-Release". The whole point of it is to only collect the security updates and a few critical bug-fixes, so that everybody who will install woody gets a secure system immediatly, without having to upgrade it via security.debian.org.
Michael
Which, by the way, are also the versions in testing right now (not sure about X).
Michael
Whatever it was that lead to the removal of aspell, it was *not* the GFDL.
Michael
That's what the Bug-Report resulting in this removal said (according to the Woody ChangeLog). I don't have any other information about this, sorry. Note that GNU aspell is still in unstable, so perhaps it was about a specific version being non-free in the past, which happened to be included in woody.
Michael
bsdutils and mount are both binary packages built by the util-linux source package. The announcement only lists source packages, one of which is util-linux.
Michael
Is this attack path confirmed somewhere? I couldn't find a mention of this in elmo's original announcement.
Michael
Please note that the new Debian-Installer was already scheduled for woody, but did not make it in time. Debian then had to rescue the old boot-floppies and get them uptodate, which took about a year, delaying woody significantly (along with various other things). Thus, this "new" installer actually got started at least 2-3 years ago. I honestly don't know whether Anaconda was available back then or what other installers where evaluated. Also note that debian-installer is heavily interweaved with ordinary debian packages and debconf, the standard debian package configuration system, which makes it quite modular and easily maintainable from a Debian point of view.
Michael
Good news, then. This article is about the *new* installer!
Michael
The actual point of the new debian-installer is that the code of the old one is/was an unmaintainable, monolithic piece of shit that nobody (including its last maintainer) wanted to touch with a pole, much less compile.
The new debian-installer introduces 'microdebs', which are stripped down debian packages for all components. This makes it extremely flexible and modular, as they are built from the same source packages as the according ordinary packages and normal debian archive tools are applied to them. Additionally, the user interface heavily relies on debconf (AFAIK), which makes changing it a matter of writing a new debconf frontend (of which several exist already).
Oh, and it has hardware-detection, btw.
Don't do like dselect does and as soon as they say they want package X, tell them package Y,Z, and Q are required....just let them select it, perhaps as part of the description have the depedencies listed.
That's probably the stupidiest thing I've read in the comments to this article. What do you think 'Depends' are for? (I haven't read them all, of course)
Michael
Actually, no, we don't lack the manpower. It's just that not so many developers are interested in a thing they see only a couple of times in their life, if at all. But rejoice, Joey Hess is back on the debian-installer track and stuff is moving along nicely.
Michael
Note that Mario Lang already has Braille working mostly for the new debian-installer. It needs a bit of hand-work, but works successfully AFAIK.
Michael
Debian, who brand their dist as GNU/Linux following the example of the Great Leader, ESR.
That's RMS, of course. ESR is in no way affiliated with GNU.
Debian, who have flame wars on the developers over whether a contribution is free enough.
Those discussions brought us a Free Qt/KDE ensemble and lately a really Free LaTeX. Nobody needs to follow those discussions if he doesn't want to, anyway.
Debian, where 'stable' means two years old.
Woody is less than a year old. But yeah, the next release is not exactly ready to go.
Michael
Because the 'main branch' is 3.0 aka woody aka 'stable' and debian does not introduce stuff like Hardware Detection in Point Releases ala 3.0r2.
Be assured that there will be automatic Hardware Detection in the next stable release (whenever that will be). It has been in the new, still alpha, Installer for months now I think.
Michael
Debian Developers usually get humiliated in public if they upload a broken package to unstable without testing it. Of course, this is somehow proportional to the importance of the package, but if a Developer somehow manages to mess up other packages, too, he will have a hard time defending himself.
Michael
Michael
Well, that's not entirely accurate.
A worthwhile goal would be to accelerate the adoption of OPEN SOURCE OSes as a desktop platform.
Their goal was a Free desktop Environment for the GNU system (GNOME means GNU Network Object foo Environment). Thus, it was not particularly desígned for Linux, but for any POSIX-compliant OS with X11. Note that the GNU system is Free Software, not Open Source and that GNOME is used by different operating systems (Solaris, GNU/Hurd, probably *BSD), too.
Michael
That's what 'apt-get remove' (or however your linux distribution calls it) is for.
Michael
Checking the integrity of the distribution by using the signatures on the Release file is being taken care of(from IRC):
(walters) azeem: my friend and I are almost done with our apt patch. it works now, we just have to clean it up.
(walters) azeem: individual package signatures is another thing though.