Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140215201042.GA18914@openwall.com>
Date: Sun, 16 Feb 2014 00:10:43 +0400
From: Solar Designer <solar@...nwall.com>
To: Petter Reinholdtsen <pere@...gry.com>
Cc: Dimitri John Ledkov <xnox@...ian.org>, 738855@...s.debian.org,
	oss-security@...ts.openwall.com
Subject: Re: Bug#738855: initscripts: Skip killing root-owned process starting with @

Hi,

I am a moderator for oss-security, and I am unsure whether we want to
accept or reject postings made to the Debian bug and merely CC'ed to
oss-security by people who haven't participated in the discussion thread
on oss-security (and most likely have not even looked at it), and where
such postings are not security focused.  I feel that they'd be partially
out-of-context, and I feel that the discussion on the Debian bug might
go for a long while (this is fine on its own, but not for having it all
CC'ed to oss-security).

I reluctantly approved Petter's posting, although it was unclear if it
was CC'ed to oss-security on purpose or accidentally.

FYI, the thread on oss-security started here:

http://www.openwall.com/lists/oss-security/2014/02/14/4

and you may see follow-ups (which were _not_ CC'ed to the Debian bug)
via the "thread-next" link.

Dimitri, since you were the one to add the CC:, what would you like us
to do?  So far, Petter's is the only such comment CC'ed to oss-security
after yours, but I suspect that many more comments will be posted to the
Debian bug later (since there's no consensus), and many may/would be
CC'ed to oss-security without specific reason (OK, maybe my bringing the
question up will affect this and it won't be happening).

I think it may be appropriate to discuss non-security/development
aspects of this issue on the Debian bug and maybe on the Distributions
list:

http://lists.freedesktop.org/archives/distributions/

and security aspects on oss-security.  Or is this separation not
justified?  Maybe I am imagining the threat of this turning into a
lengthy thread that is only tangential for oss-security?

I don't intend to spam the Debian bug by CC'ing it on many more messages
like this, yet I felt I should keep it in the loop this time.

Thanks,

Alexander

P.S. This is a rare occasion where I think top-posting works best, so
here's the quoted message:

On Sat, Feb 15, 2014 at 08:20:12PM +0100, Petter Reinholdtsen wrote:
> I am not convinced this is something we should implement in
> init.d/sendsigs.  If we are going to implement this systemd
> compatibility, it might be better to implement it as a option for
> killall5, instead of faking omitpid values.  Anyone willing to write
> such implementation?  killall5 already know about all processes and
> their names, and asking it to ignore processes matching some regular
> expression should not be very hard.
> 
> -- 
> Happy hacking
> Petter Reinholdtsen

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.