1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Trouble posting to debian-devel

    From Antonio Russo@21:1/5 to All on Fri May 9 15:40:01 2025
    Hello all,

    I tried to post to this list two times yesterday morning.

    Roughly, the content was about a security issue. Neither post
    was rejected, nor did I receive a bounce, but it did not show
    up on the list.

    I'm not repeating the content of that email, since I'm not sure
    if the content is the reason that email was rejected.

    I also contacted listermaster@lists.debian.org and have received
    no response.

    In the unlikely event that this email gets through, I'll try
    posting the actual issue again, but there remains an issue
    of the flakiness of the list and rejecting emails silently.

    Best,
    Antonio

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Antonio Russo@21:1/5 to All on Fri May 9 16:50:01 2025
    T24gMjAyNS0wNS0wOSAwODoyMCwgQm95dWFuIFlhbmcgd3JvdGU6DQo+IA0KPiBKdXN0IGEg cmVtaW5kZXI6IGlmIHlvdSBhcmUgdHJ5aW5nIHRvIHJlcG9ydCBhIHNlbnNpdGl2ZSBzZWN1 cml0eQ0KPiBpc3N1ZTogRE8gTk9UIHBvc3Qgb24gZGViaWFuLWRldmVsIG9yIG90aGVyIHB1 YmxpYyBtYWlsaW5nIGxpc3RzDQo+IHRvIGF2b2lkIGRpc2Nsb3NpbmcgaXQgdG8gdGhlIHB1 YmxpYyBpbiBhbiB1bndhbnRlZCB3YXkuDQo+IFBsZWFzZSBjb250YWN0IERlYmlhbiBTZWN1 cml0eSBUZWFtIHZpYSBzZWN1cml0eUBkZWJpYW4ub3JnIC4NCj4gDQo+IElmIGl0IGlzIGFi b3V0IHNvbWUgZ2VuZXJpYyB0ZWNobmljYWwgZGlzY3Vzc2lvbiwgdXNpbmcgZGViaWFuLWRl dmVsDQo+IGlzIHN1aXRhYmxlLg0KDQpTbywgbXkgbWFpbCBpcyBkZWZpbml0ZWx5IGJlaW5n IGJsb2NrZWQgYmFzZWQgb24gdGhlIGNvbnRlbnQuICBJIHdvbnQNCm5hbWUgdGhlIHNwZWNp ZmljIHBhY2thZ2UsIGJ1dCBpdCBpbnZvbHZlcyBydW5uaW5nIGNvZGUgYXMgcm9vdCB0aGF0 DQpkb2VzIG5vdCBuZWVkIHRvIGJlLCBiZWNhdXNlIGEgc3lzdGVtZCB1c2VyIHVuaXQgaXMg YmVpbmcgc3RhcnRlZCBmb3INCnRoZSByb290IHVzZXIuICBJIHJlYWxseSBkb24ndCB0aGlu ayBoaWRpbmcgdGhlIGRldGFpbHMgKGluIHRoaXMNCnNwZWNpZmljIGNhc2UpIHByb3RlY3Rz IGFueWJvZHksIGFuZCBob25lc3RseSBJIHRoaW5rIGl0IHJlZHVjZXMNCmV2ZXJ5b25lJ3Mg c2FmZXR5Lg0KDQpUaGUgcmVhc29uIEkgd2FudCB0byBwb3N0IHRoaXMgdG8gZGViaWFuLWRl dmVsIGlzIGJlY2F1c2UgSSdkIGxpa2UgdG8NCmRpc2N1c3MgYSBnZW5lcmljIGFwcHJvYWNo IHRvIGVuc3VyaW5nIHRoYXQgc3lzdGVtZCB1c2VyIHVuaXRzIHRoYXQNCmFyZSBpbmFwcHJv cHJpYXRlIGZvciBwcml2aWxlZ2VkIHVzZXJzIHRvIHN0YXJ0Lg0KDQpJbiBwYXJ0aWN1bGFy LCBJJ20gYWR2b2NhdGluZyBmb3Igc29tZSBzeXN0ZW1kIHRhcmdldCB0aGF0IHdvdWxkDQpD b25mbGljdHM9IHdpdGggdW5pdHMgdGhhdCB3b3VsZCBoYXZlIENvbmRpdGlvblVzZXI9IXJv b3Qgc28gdGhhdA0KYWRtaW5pc3RyYXRvcnMgY291bGQgZWFzaWx5IHByZXZlbnQgdGhpbmdz IGxpa2UgZHJrb25xaSBmcm9tIHN0YXJ0aW5nDQppbiBzZW5zaXRpdmUgdXNlciBzZXNzaW9u cy4NCg0KSSdkIGFsc28gbGlrZSB0byBjb25maXJtIHRoZXJlIGlzIGEgcG9saWN5IChvciBh dCBsZWFzdCBhZ3JlZW1lbnQpDQp0aGF0IHJ1bm5pbmcgY29kZSBhcyByb290IHVubmVjZXNz YXJpbHkgaXMgYSBwcm9ibGVtLiAgSSBicmluZyB0aGF0DQp1cCBiZWNhdXNlIEknbSBjb25j ZXJuZWQgdGhhdCB0aGUgYnVnIEkgZmlsZWQgbWF5IGdvIGlnbm9yZWQuDQoNCkJlc3QsDQpB bnRvbmlvDQo=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel =?utf-8?Q?Gr=C3=B6ber?=@21:1/5 to Antonio Russo on Fri May 9 17:30:01 2025
    Hi Antonio,

    On Fri, May 09, 2025 at 08:31:22AM -0600, Antonio Russo wrote:
    I'd also like to confirm there is a policy (or at least agreement)
    that running code as root unnecessarily is a problem.

    Quoting https://release.debian.org/trixie/rc_policy.txt :

    In addition to the issues listed in this document, an issue is release
    critical if it:

    * introduces a security hole on systems where you install the
    packages
    (these issues are "critical" severity)

    5. General

    (b) Security

    Programs must be setup to use the minimum privileges they can. (ie,
    not setuid where setgid will suffice; not setuid root where setuid
    some other user will suffice; setuid root for the minimum period
    possible, etc)

    I bring that up because I'm concerned that the bug I filed may go
    ignored.

    You need to tag security bugs as 'security' in reportbug. Then they get
    CCed to the right people and won't be ignored.

    You can do this after the fact by responding to the bug, adding security@debian.org to CC and putting the following in the first lines of
    your mail to add the tag:

    Control: tags -1 + security

    Ideally you should explain in your message what the security impact of this
    bug is in your view.

    Thanks,
    --Daniel

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEV6G/FbT2+ZuJ7bKf05SBrh55rPcFAmgeHUAACgkQ05SBrh55 rPc/ww/6A1uEogaTXTMec7XRdIxEAWKcQ+2++Cb3NakaYngurDE4hwagW9RPlWWx AwwMqqX78qWjsoKhVrKgeTKR3HozuETwk60OkkFVHfx52ykuYizLlVT7iqgDCsMS niZGupYZoULrLnBcvnhHXRixjIzJtnYe74esrAkYfEV7JW8mXquWsHA2Ul284e9L TpN8dpu/SwCR8ZP7269T5VLQUesjT1NEeCJC/XVvx9gW6qNu9sB1iBqA/dkrCTe5 H2JpjnjvHICXtaNJIcXfdqgQoJe8toCVxhunIiyobP5o8YIJ4eWwFQLPSaM8awT6 GkSIRF1vBbK8Tl4hFrqpj741V2F1sNpmwHzZTSen+N06ZV5C9aJDdm13c7LjvrIO xJ4NGZj8Q2g56cQPK8oUTCFB3zOiHiROxqmB2oDsUN4QYdxzf9wRQPaLj6iUotvg 8Iupr6rx02OE5QZhBhF1J9cF1VGEQTioFHGh9E7Eqr5K9R8sXfqUrixtp7UOMrmY H8na4WWjHVmQmIuDRmJFR6N2V0ZnORfAIRINAqjdKEH4Lg6aSF3MPC6UCICV1OsI 12xZiVxmefc7Xj8r6IYHg6MNfyjCMF5jUQAv+/7WgXoprg7WoIAYcgTi7GwX5UcJ 7nN15dox2QUdgO0geVrafZ4qfkwD/w2m2X55EJBaRXpShmXAKxo=
    =uoAv
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)