On Sat, 2010-05-15 at 02:18 +0200, Stefano Zacchiroli wrote:
> Guys, IMHO you really need to stop ranting contentlessly. Either you
> reply to the technical arguments in favor of the change that have been
> made (e.g. by Russ Allbery in this thread, to which you carefully
> avoided to reply thus far), and roll-up your sleeves to help fixing what
> is broken,
> or you shut up.
So much about "stop ranting"...
> If that's asking too much, please at least understand that messages like
> the ones I've quoted above don't add anything to the discussion, and
> will just piss off people, reducing in general the willingness to
> contribute to Debian. Is that what you want?
Well,... I do not want Santiago to stop his contributions, as he does
excellent work, but I want to have contributions/changes stopped which
thin out security, even it this is may only happen in
An example: We're more and more depending on "utopia" stuff: consolekit,
policykit, and so one.
All of them promise nice features so in principle it's ok to have them
and depend of them.
But I don't trust that all of them are already very mature.
Recently there was a bug in one of them (udisks), which simply offered
dmcrypt keys to any user.
Of course this can happen and we've seen many other security critical
bugs, and this was definitely not the fault of the package's maintainer,
as it was an upstream bug....
... nevertheless it shows how stuff which is primarily there to make the
system more "friendly" or "simplified"... Ubuntu guys would probably
call it an "experience" (wtf...) can be a big danger.
In that specific case,... apart from a changelog entry (which is surely
not read by everybody), there was no info about that extreme security
hole, which would have been very important however, as fixing the code
does not close the hole in that case, as any normal user might have
already copied the keys.
> Finally, I remind you that in Debian in general package maintainers are
> free to take technical choices for the package they maintain;
Well,... this model has not only advantages,... which does not mean that
I suggest to use a different model.
Anyway policy should mandate to use hardened/secure settings whenever
> if you
> really think the choice is wrong, you should try to convince him that it
> is the case.
Well I've tried, and it seems that personally he'll also stay with
022,... but it seems that it's impossible to "win" against the obvious
> To that end, mails like the above surely don't help.
Sometimes, outcries are needed.... which does however not mean that
they'll change anything (especially as I'm non-DD).