In retrospect, adopting a policy of "until we know what it is, there is no problem" would have saved a lot of people a hell of a lot of unnecessary stress.
Now that we know what the vulnerability is, I agree. Had it been as bad as Theo originally made it out to be, I would say that it was good that Theo gave admins some advance notice. Of course, it would have been nice if Theo gave the distributions a bit more details too.
BTW, Debian's woody packages were vulnerable, because there was also a bug in the PAM code that ISS failed to mention in their advisory. (Although the PAM bug may or may not have been exploitable.) Potato wasn't vulnerable.
Heh. It's right in the screenshot's filename. Rhythmbox. Do a Google search for it. (Apparently, though, it is going to become less iTunes-like -- hopefully for the better.)
Read the Metacity README file! This is one of Metacity's precious few user options.
This is a different issue. This is raise-on-click -- not sloppy focus. i.e. if you have a window partially obscured by another, and you click on it, it will jump up to the top. This is completely separate from window focus.
man apt_preferences. apt (at least the one in Woody and up) by default does not upgrade already-installed packages to the experimental version. And for good reason too -- you wouldn't want to be locked out of your machine because you accidentally installed an experimental (broken) PAM release. So read the man page, and fix it yourself. If you use experimental, you should expect to have to do some fixing anyways.
If we were told what the problem was then we could make informed decisions about how to deal with it.
The bug is probably in the authentication code somewhere. You can upgrade to 3.3, turn OpenSSH off, or firewall off everyone except for trusted hosts. That's about it. If you want more details, look through the source yourself, or hit your server with random data until it breaks.
1. Black hats probably already know the exploit.
Right, and they knew about it before Theo did. If they wanted to attack you, they would have done so already. By delaying the details (note: delaying, not witholding), he's preventing script kiddies and "your enemies" from knowing about the exploit before you can be secure.
And because Theo won't disclose the exploit there's no real certainty that the new version isn't also broken.
The new version is still broken. It just prevents the vulnerability from being exploited.
Honestly if Theo had said "we have an exploit, here it is, we won't have a fix for 3 months" then I'd be LESS angry than with his non-disclosure and his "YOU DO THIS NOW" demands.
Or would you prefer that Theo said "here's a bug, here's a patch"? Well he's going to do that next week. He didn't have to make this announcement at all. By doing this, he's doing you a favour, so that you can be safe before the bug details are released, and the kiddies start poking around. The only reason people are getting angry is because Theo is providing more information (i.e. a pre-announcment) than would normally be provided. If you don't like this announcement, ignore it and wait until next week. He's not saying "YOU DO THIS NOW." He's saying that if you want to be immune before next week's attacks start happening, here's what to do.
I would like to know more details as well, but I don't think that comparing this with Microsoft is fair. OpenSSH is is much more bug-free, and this is (AFAIK) the only known vulnerability in OpenSSH, at least for a long time, and I don't think that anyone is treating this as "just another bug-fix". Theo already said that details will be released next week, and if they aren't, his mail box will be flooded (if it isn't already).
At least Theo is saying something right now. He could have just waited until next week to disclose the fact that there is a vulnerability at all.
How is this an irresponsible announcement? This is about as responsible as you can get. "There's an exploit in our code. We can't tell you exactly what it is yet, because we don't have a full patch yet, and we don't want exploits flying around until we do, but if you do [insert procedure here] (which is a good idea anyways) the vulnerability is not exploitable. The patch will be available next Monday." Would you rather they announce it next week, after they have the full patch, so that we can have a race between script kiddies and admins again? Or would you rather know that your machine is safe from the kiddies, before they have the exploit?
Read the last question of the FAQ. "Vorbis does currently support greater than two channels; the default multichannel mapping in the 1.0 release supports up to 255 simultaneous channels." (Mmm. 255 channels.)
Re:There is nothing wrong with RPMs. Only packager
on
Is RPM Doomed?
·
· Score: 1
re: #2. Ah, I see. Too bad RedHat doesn't tell you how to do it. BTW, is that a new feature? My last experience with RedHat was 6.2.
Re:There is nothing wrong with RPMs. Only packager
on
Is RPM Doomed?
·
· Score: 2, Interesting
The biggest problem I found with RedHat's packaging is that they don't do versioning properly. For example, I was trying to install GNOME a while back on an RH6.2 machine, and it needed [library] (I forget exactly which library it was) version x, but some other package on the system needed [library] version y. This meant that I couldn't install the prepackaged version of GNOME, and had to build it myself. This is just like DLL hell in Windows.
On the other hand, in Debian, if you have two versions of a library, and their API's are incompatible (which is the only reason packages would need to depend on a specific version of a library), you will have one package called, say, [library]1 and one package called [library]2, and packages can just depend on [library]1 instead of [library] version x. This way you can have both versions installed at the same time, and everyone's happy.
My second pet peeve with RPM is that you need to be root to build an RPM from source. In Debian, you just need to use "fakeroot", which means that the build process thinks you're root, but you can't accidentally do anything too nasty too your setup.
IANA human anatomist, but my guess is that it would not hurt to rest your arms on something when your hands are vertical. When your hands are vertical, it looks like the bottom part of your arm is mostly bone -- no blood vessels, soft tissues, etc.
I agree about the central keys. It would make more sense to put them on the sides rather than in the middle.
(BTW, "quickly", not "fastly". There's no such word as "fastly" in English.)
Slashdot Mirror
Now that we know what the vulnerability is, I agree. Had it been as bad as Theo originally made it out to be, I would say that it was good that Theo gave admins some advance notice. Of course, it would have been nice if Theo gave the distributions a bit more details too.
BTW, Debian's woody packages were vulnerable, because there was also a bug in the PAM code that ISS failed to mention in their advisory. (Although the PAM bug may or may not have been exploitable.) Potato wasn't vulnerable.
Heh. It's right in the screenshot's filename. Rhythmbox. Do a Google search for it. (Apparently, though, it is going to become less iTunes-like -- hopefully for the better.)
This is a different issue. This is raise-on-click -- not sloppy focus. i.e. if you have a window partially obscured by another, and you click on it, it will jump up to the top. This is completely separate from window focus.
man apt_preferences. apt (at least the one in Woody and up) by default does not upgrade already-installed packages to the experimental version. And for good reason too -- you wouldn't want to be locked out of your machine because you accidentally installed an experimental (broken) PAM release. So read the man page, and fix it yourself. If you use experimental, you should expect to have to do some fixing anyways.
The bug is probably in the authentication code somewhere. You can upgrade to 3.3, turn OpenSSH off, or firewall off everyone except for trusted hosts. That's about it. If you want more details, look through the source yourself, or hit your server with random data until it breaks.
Right, and they knew about it before Theo did. If they wanted to attack you, they would have done so already. By delaying the details (note: delaying, not witholding), he's preventing script kiddies and "your enemies" from knowing about the exploit before you can be secure.
The new version is still broken. It just prevents the vulnerability from being exploited.
Or would you prefer that Theo said "here's a bug, here's a patch"? Well he's going to do that next week. He didn't have to make this announcement at all. By doing this, he's doing you a favour, so that you can be safe before the bug details are released, and the kiddies start poking around. The only reason people are getting angry is because Theo is providing more information (i.e. a pre-announcment) than would normally be provided. If you don't like this announcement, ignore it and wait until next week. He's not saying "YOU DO THIS NOW." He's saying that if you want to be immune before next week's attacks start happening, here's what to do.
I would like to know more details as well, but I don't think that comparing this with Microsoft is fair. OpenSSH is is much more bug-free, and this is (AFAIK) the only known vulnerability in OpenSSH, at least for a long time, and I don't think that anyone is treating this as "just another bug-fix". Theo already said that details will be released next week, and if they aren't, his mail box will be flooded (if it isn't already).
At least Theo is saying something right now. He could have just waited until next week to disclose the fact that there is a vulnerability at all.
The reasonable interpretation would be that ISS found the hole.
How is this an irresponsible announcement? This is about as responsible as you can get. "There's an exploit in our code. We can't tell you exactly what it is yet, because we don't have a full patch yet, and we don't want exploits flying around until we do, but if you do [insert procedure here] (which is a good idea anyways) the vulnerability is not exploitable. The patch will be available next Monday." Would you rather they announce it next week, after they have the full patch, so that we can have a race between script kiddies and admins again? Or would you rather know that your machine is safe from the kiddies, before they have the exploit?
Nope. Read the interview. Just a bit above the middle of the page.
Read the last question of the FAQ. "Vorbis does currently support greater than two channels; the default multichannel mapping in the 1.0 release supports up to 255 simultaneous channels." (Mmm. 255 channels.)
re: #2. Ah, I see. Too bad RedHat doesn't tell you how to do it. BTW, is that a new feature? My last experience with RedHat was 6.2.
The biggest problem I found with RedHat's packaging is that they don't do versioning properly. For example, I was trying to install GNOME a while back on an RH6.2 machine, and it needed [library] (I forget exactly which library it was) version x, but some other package on the system needed [library] version y. This meant that I couldn't install the prepackaged version of GNOME, and had to build it myself. This is just like DLL hell in Windows.
On the other hand, in Debian, if you have two versions of a library, and their API's are incompatible (which is the only reason packages would need to depend on a specific version of a library), you will have one package called, say, [library]1 and one package called [library]2, and packages can just depend on [library]1 instead of [library] version x. This way you can have both versions installed at the same time, and everyone's happy.
My second pet peeve with RPM is that you need to be root to build an RPM from source. In Debian, you just need to use "fakeroot", which means that the build process thinks you're root, but you can't accidentally do anything too nasty too your setup.
IANA human anatomist, but my guess is that it would not hurt to rest your arms on something when your hands are vertical. When your hands are vertical, it looks like the bottom part of your arm is mostly bone -- no blood vessels, soft tissues, etc.
I agree about the central keys. It would make more sense to put them on the sides rather than in the middle.
(BTW, "quickly", not "fastly". There's no such word as "fastly" in English.)