Security Updates


Forum: Extension Development
Topic: Security Updates
started by: lucky13

Posted by lucky13 on June 01 2008,12:37
Starting a new topic to keep the "compile issues" thread from being hijacked.

curaga re: my idea of packaging a zlib+ssl+ssh security update:
Quote
They are important, but what about all other stuff that has had security updates (png, jpeg, FF, glibc, etc. etc.)?

Those are also important and I also have libpng, ungif, etc., updated on my hard drive install. The differences between vulns in the image libs and the three I listed are like night and day: the vulns in the image libs are usually limited to causing crashes and DOS while the vulns in ssl/ssh present problems with MITM and other attacks that pilfer private data or make it easier to do so.

I'm not dismissing the severity of problems with other libs or apps. I'm just a lot more concerned about the integrity of the libraries and apps that protect my privacy and my data.

Quote
Just saying it might not be worth going for, as to be secure it would need a total overhaul.

"Going for" is already done on the three I listed; they just need to be stripped and packaged. And, as I noted, I could also submit the image libs as well if there's interest. Beyond that, you're right because it would take a lot of effort to patch it all and tiny core will be out soon with a fresher base and fewer things to keep an eye on. That's another reason I favored making DSL a lot more modular when Robert polled about it last year -- it'll make this issue a lot easier to manage going forward.

Posted by curaga on June 01 2008,12:57
I guessed you'd say that, and I agree. It's not worth it trying to update the current DSL, but the tiny core will be different.
Posted by Jason W on June 03 2008,13:49
I personally would be interested in a .dsl that has an updated libpng, libjpeg, openssh, openssl and so forth.  The gtk2 extensions have many updated libraries like that and it is pretty well proven they cause no problems with existing base apps or other extensions.  If someone was building a non-gtk2 app that requires updated image libs it would be nice to have an extension containing such as to not have to include the updated libs in each extension.  That as well as the security concerns with things such as ssl and ssh.  Maybe an .dsl for image libs and a seperate one for ssl/ssh.
Posted by lucky13 on June 03 2008,15:06
Quote
Maybe an .dsl for image libs and a seperate one for ssl/ssh.

That's kind of where I'm leaning but it may easier and simpler to manage if I put them all in one. I should have time to work on it this weekend, maybe sooner if I don't have to travel this week.

Posted by lucky13 on June 10 2008,19:26
Update...

I was going to submit this all-in-one with SSL headers so other apps could be compiled against it. That would make it pretty big and unsuitable for users who just want the SSL/SSH/zlib updates. I'm holding back on these until I see what Robert is doing with tiny core. I only know he said he's using dropbear instead of SSH which means we'll need an OpenSSH and sshfs extension(s) for tiny core. Maybe the fuse module, too, if that's out of the base.

I don't know what version of SSL is in tiny core and if all of this will turn into many little pieces or one big package or if I need to separate the SSL headers from the rest so there's an update package and a dev package.

Posted by jpeters on June 11 2008,04:59
Quote (lucky13 @ June 10 2008,19:26)
Update...

I was going to submit this all-in-one with SSL headers so other apps could be compiled against it. That would make it pretty big and unsuitable for users who just want the SSL/SSH/zlib updates. I'm holding back on these until I see what Robert is doing with tiny core. I only know he said he's using dropbear instead of SSH which means we'll need an OpenSSH and sshfs extension(s) for tiny core. Maybe the fuse module, too, if that's out of the base.

I don't know what version of SSL is in tiny core and if all of this will turn into many little pieces or one big package or if I need to separate the SSL headers from the rest so there's an update package and a dev package.

Here are the files used with openssh on Puppy:

< http://jpeters.net/apps/openssh-5.tar.gz >

Posted by lucky13 on June 11 2008,14:11
Quote
Here are the files used with openssh on Puppy

I don't take cues from operating systems with root-only ssh login by default. Heh.

Thanks. I already know *which* files need to go in. The question is how I want to do it with respect to all-in-one, separate versions for DSL and DSL-tiny core (since it'll have dropbear instead of OpenSSH and therefore also need an sshfs extension, etc.), separating out SSL headers, etc. I don't want to make five or six different versions if I can get away with one or two. Or three.

Posted by jpeters on June 11 2008,15:09
Quote (lucky13 @ June 11 2008,14:11)
Quote
Here are the files used with openssh on Puppy

I don't take cues from operating systems with root-only ssh login by default. Heh.

I feel much more secure typing "sudo scp"  :D
Posted by lucky13 on June 11 2008,16:07
My sudoers:
Code Sample
root ALL=(ALL) ALL
# knoppix NOPE=(nuh-uh) not-here!
# dsl NOPE=(nuh-uh) not-here!

The rest of it is set up on Cmnd_Alias for specific commands per group rather than system-wide root access. Some commands requiring password, some not.

edit:
< http://lucky13linux.wordpress.com/files/2008/06/sudosu-not.png >

Posted by meo on June 25 2008,21:35
Hi!

A lot of words but very little workshop in favor of the community it seems.

Have fun all you who help out others in the community,
meo

Posted by lucky13 on June 30 2008,15:26
Quote
A lot of words...

What's your point? I explained why I haven't submitted these extensions and when I will. What part of "I'm holding back on these until I see what Robert is doing with tiny core" do you fail to grasp?

Posted by meo on June 30 2008,16:12
Hi!

My point is just that since the tiny core probably will have a long alfa, beta and RC cycle some might want those security updates for the 4.x.x series. I'm not concerned about my setup in this case but if you wait for the tiny core release (a functional one) who knows how long time will pass. Although naturally it's up to you if you want to help out those concerned with this security updates in the community now or if you want to wait for an unspecified date in the future.

Have fun with DSL all you concerned about the whole community,
meo

EDIT: I didn't fail to grasp anything (I seldom do) but you started this thread a month ago and there has been "just words". Why start a thread if you aren't going to do anything constructive until some unspecified time in the future?

Posted by lucky13 on June 30 2008,16:31
Quote
...some might want those security updates...

They can find and compile them from source themselves if they're in such a hurry.
Quote
I'm not concerned about my setup in this case...

Good, that makes two of us.
Quote
...naturally it's up to you if you want to help out...

Exactly! Which is why I'm curious why you choose to whine about any of this.
Quote
...if you want to wait for an unspecified date in the future.

Yes, I do want to wait for an unspecified date in the future.
Quote
I didn't fail to grasp anything...

You obviously did.
Quote
Why start a thread if you aren't going to do anything constructive in the foreseable future?

Look who's talking. How many threads have you started and how many submissions and/or contributions have you made?

Between my own work, family, vacation, and the pending release of core, etc., I don't feel obligated to do things according to your schedule. If you're not satisfied with how I do things, the criteria I set for when I submit extensions, etc., please feel free to do it yourself.

I wondered last week if I should bother participating in any community between being called names, being told I should go start my own distro, that I should leave my comments to my blog, etc. Thanks for helping me re-evaluate this question again. I really don't know why I bother suffering fools. Especially impatient, judgmental ones.

Posted by curaga on June 30 2008,17:09
Uh.. Sorry to interrupt you guys with a theoretical question, but wouldn't this break every single extension that uses openssl? Some are very picky of it..
Posted by meo on June 30 2008,17:47
Hi again!

I'm not "whining" about anything. I just don't understand why someone brings up a topic about an extension and then just pospones it to an undefined future but naturally that's up to you. Maybe I got the whole thing wrong when I thought that you almost were done making this extension. I didn't try to impose a schedule upon you because naturally the whole thing is up to you if you want to submit this security update or not and when you wish to do so. When it comes to threads I've started I don't know how many they are since I have been active in this forum almost from the start. But just according to the hits in the remastering thread I started more than 4 years ago my hope is that I have helped at least several hundreds just by this thread and at least bcrypt (that I compiled into my remasters up to DSL 3.3) is now a permanent part of DSL. That is just what I hope I have done for those interested in DSL in a single thread. To help others is the main reason for why i post anything in this forum or maybe asking those who have the skills to make an extension that will be of benefit not just for me but to the whole community and everyone else interested in DSL.

Have fun all you who like this uncomparable distro,
meo

Posted by ^thehatsrule^ on June 30 2008,17:56
Quote (curaga @ June 30 2008,17:09)
Uh.. Sorry to interrupt you guys with a theoretical question, but wouldn't this break every single extension that uses openssl? Some are very picky of it..
From my experience I've changed ssl libs without having compatibility problems in the applications (incl. windows dlls).  Maybe it keeps the same API?  After all, the naming could be something like lib*.so.0 ... but this is really just my guesswork.

Posted by lucky13 on June 30 2008,18:04
You're not interrupting. At least someone here has a constructive question and/or constructive criticism. Thanks for asking and elevating the discussion.

It won't affect "every single" extension, but you're right that some of them may have problems. That was one of the other reasons for holding back and seeing what's going on with core and if the two will share extensions, etc.

That said, I've used quite a few extensions built with newer OpenSSL versions. IIRC, the svn UCI in testing has its own OpenSSL. That one comes to mind but I think I've seen it in a few others. I'm grep'ing mydslinfo now and see Juanito also added it to compile-3.3.5.uci.

I've also had zero problems with the other extensions I've used. Since I compiled most of the crypto- and security-related software (e.g., gpg, etc.) I use against the newer libs, I would also submit those. I prefixed most of the apps (e.g., gpg, Sylpheed with gpg, etc.) in /opt so I could submit as UCIs.

Posted by lucky13 on June 30 2008,18:06
Quote
After all, the naming could be something like lib*.so.0 ... but this is really just my guesswork.

As I just added at the end, I've had no problems with existing extensions. The only error messages I've had are from XMMS, Sylpheed (missing icons or something), etc., already known in DSL and completely unrelated to OpenSSL library issues.

Posted by lucky13 on June 30 2008,18:24
Quote
I'm not "whining"...

You are. Stop it.
Quote
I just don't understand why someone brings up a topic about an extension and then just pospones it to an undefined future...

It's a very well-defined future: WHEN I HAVE A BETTER IDEA WHAT WE'RE DOING WITH CORE SO I DON'T HAVE TO MAKE MULTIPLE VERSIONS OF THINGS IF I DON'T HAVE TO. What's so difficult to understand about that? Geez.
Quote
Maybe I got the whole thing wrong...

You did. As usual.
Quote
...I thought that you almost were done making this extension.

I am. I have several versions of it that I've used on hard drive, frugal, and USB installs as well as in a remaster. It works. I told you when I'll submit. Why are you so burdened by that?
Quote
To help others is the main reason for why i post anything in this forum...

How is your harping and whining about the status of any submission (not the first time you've pulled this crap) helpful? How are you being helpful by complaining about "a lot of talk" in a thread with an initial post that mentions "if there's interest" (and where very little has been shown)? Are you genuinely interested or just badgering about this? And are you so arrogant that you think you're the ONLY person here trying to help others? Why the hell do you think anyone else comes here? Geez (again).

Posted by meo on June 30 2008,18:25
Hi again!

Well, maybe my input wasn't to the liking of the topic starter but at least it restarted the discussion (at least something).

Have fun with DSL as you want it,
meo

EDIT: Yes, your last post really shows that you want to help people.

Posted by lucky13 on June 30 2008,18:27
Quote
maybe my input

That wasn't input. Input is productive, and the crap you keep pulling isn't.

edit: From now on, I'll only submit to MyDSL upon request and for payment of a bounty. Terms and conditions are negotiable and highly subjective and will fluctuate on any whim. For most of you, a small donation well within your means to another fine project used by DSL (like OpenSSH) will suffice. It will cost certain people a lot more than others -- there's a price for getting on my bad side. So if you're not prepared to pay up, just shut up.

Starting price for anything meo wants or whines about: $1000/LOC, payable to OpenSSH or to the orphanage (edit: and other children programs in Uganda) vim supports. :)

links:
< http://www.openssh.org/donations.html >
< http://iccf-holland.org/ >

Posted by meo on June 30 2008,19:02
Hi!

Then it won't follow the GPL license i presume. But that, I guess, you learned from your discussion with John Murga.

Have fun all you who impartially really wants to help out in this community (without charge),
meo

PS Would you give me credit for quoting me in your id string all the time? I guess not!? DS

Posted by lucky13 on June 30 2008,20:08
Quote
Then it won't follow the GPL license i presume.

The three projects mentioned in this thread are OpenSSH, OpenSSL, and zlib. None of these three is licensed under GPL. None forbids the sale of software, and, in fact, all allow their code to be used in proprietary software. I also said that I would allow the Ugandan project sponsored by Bram Moolenaar of vim, and vim isn't GPL.

It doesn't surprise me that you don't "get it" wrt what happened last week about the reconfigured runtime offered under a free license but whose developer wants to attach strings. Like that developer, you obviously don't understand GPL. You also seem to be operating under a false premise that "free" software cannot be sold. You are, as usual, very mistaken. The GPL allows it and the FSF encourages it because "free" software isn't about cost but about freedom: "...we encourage people who redistribute free software to charge as much as they wish or can.... the GNU General Public License (GNU GPL) has no requirements about how much you can charge for distributing a copy of free software. You can charge nothing, a penny, a dollar, or a billion dollars."
< http://www.fsf.org/licensing/essays/selling.html >

Read that and then come back and apologize for being such a dunderhead in public.

I have no qualms about soliciting money, whether it's an obscene amount from you personally or much less from anyone else, for the two projects I mentioned above. Both are already used in DSL. DSL has benefited from and continues to benefit by having OpenSSH and vim (even if it's an older tiny version) in its base.

I can further justify it on the grounds that most of my extension submissions have come from requests from others that I make available what I already have. I've also gone out of my way to contribute to the community. I place a high value on my time and I'd like to see any "bounty" have the greatest possible benefit. If it can benefit projects that already benefit the DSL community and will continue to do so, who are you to complain? It only shows what a demanding little ingrate you really are that you'd object to something that benefits all of us.

(Edited FSF quote and amended my terms for compiling extensions for meo; the price for meo is now US$1 billion payable to Theo of OpenSSH or vim's charity in Uganda. I'll even let meo split the billion between those two projects.)

Posted by meo on June 30 2008,21:14
Hello!

That was quite a response for a "oneliner" post. I (like you) was referring to MyDSL extensions in general. Wasn't that what you mentioned?
Quote
From now on, I'll only submit to MyDSL upon request and for payment of a bounty
And the credit for quoting me in your id line was just a request in the form of a question. You really have the ability to twist everything that someone posts. It reminds me of someone that also twisted quotes to his own liking. But my original post is there for anyone to see and in it's proper context. Frankly I don't think that you'll get that many requests for MyDSL extensions and certainly not from me. I'm just wondering honestly how I managed to get, as you say, "on your bad side". To me it seems that you are exaggerating a lot when it comes to others but being very mild when it comes to yourself and what you are posting. That's my sincere opinion and then you wonder why a lot of members of this community doesn't like you. Well, usually you get treated as you treat others. This makes me wonder why it's only you that treat me in the manner that this and other threads show. I think I know why but I won't make any psychoanalysis now, I'll just get out of your hair (for now at least).

Have fun everybody that is prepared to help others without charge,
meo

Posted by lucky13 on June 30 2008,21:39
Quote
...then you wonder why a lot of members of this community doesn't like you.

No, I don't wonder about that at all. We live in an increasingly feminized, relativistic culture where those who have strong opinions and convictions are treated with derision and contempt by those whose opinions are much less sure (or, rather, who are much less willing to offer strong opinions except as it relates to derision of others). In saying that, I already know which side I'm on and I already know which side you're on. I'm comfortable with that. Very comfortable.

Just remember you're the one who bitched about "a lot of talk" instead of tackling it yourself if you want it. And if you don't, you're still the one bitching about it. Maybe you should just deal with your own shortcomings instead of worrying or talking about mine.

Edit... just so you won't remain in mouth-breathing suspense. Well, in suspense anyway.
Quote
I'm just wondering honestly how I managed to get, as you say, "on your bad side".

See the quote in my signature? Do you remember your juvenile antics in connection with all that? Or are you guilty of the same thing you accuse me -- of twisting words, etc.?

Posted by meo on July 01 2008,00:57
Hi for the last time in this thread (I know you just must have the last word)!

Yes, I remember but maybe have a different view of it than you have.

Who is namecalling, treating others with derision and showing contempt here?
Quote
Time to cast my pearls before other swine.


Quote
Quote
maybe my input

That wasn't input. Input is productive, and the crap you keep pulling isn't.


Who is really whining now etc.?
Quote
I wondered last week if I should bother participating in any community between being called names, being told I should go start my own distro, that I should leave my comments to my blog, etc. Thanks for helping me re-evaluate this question again. I really don't know why I bother suffering fools. Especially impatient, judgmental ones.


Do you think you have "carte blanche" to write whatever you want about others without being treated the same way by some members in this community. Then you complain for being treated the same way you have treated others. Have I succumbed to namecalling you? No, I don't do things like that but as a part of one of my id lines shows, in my opinion you have been asking for what you have received and yet according to you, it is always everyone elses fault, never yours. How can that be so? So you have no responsability for what you write but all others have. Is that right and fair? I leave for you to answer that.

Have fun all you who honestly try to help everybody interested in DSL,
meo

Posted by lucky13 on July 01 2008,01:23
What was the point of you bitching and whining about this extension and this thread? I'm not the one stirring sh*t, YOU are. If you don't like how it stinks, STOP STIRRING IT. It is really that easy.

If you have ANYTHING to contribute to the discussion about any of the libraries this thread is about, feel free to post something more substantive than you have so far. If you have nothing to add other than whining and bitching about what's been or not been submitted, go talk to yourself.

It really is that easy. :)

Powered by Ikonboard 3.1.2a
Ikonboard © 2001 Jarvis Entertainment Group, Inc.