[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, 14 Dec 2009 18:10:11 +0000 Simon Robert <simon.robert@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > > Doesn't sound like it's ready for Debian at the moment either. It would > > > need a Ruby developer already working with the Debian Ruby team to get > > > it into some sort of decent shape. > > > > > > Just because software is free doesn't mean it's any good - there can be > > > other reasons why package foo isn't in Debian or Ubuntu apart from a > > > lack of time by interested maintainers, the package may just be crud. > > > > > So it is back to looking for a suitable and secure programme. > > Neil's comments are quite worrying so I shall follow his advice. > > > All this stuff about how installing a .deb file from a projects website > rather than from the ubuntu/debian repositories could be dangerous is > frankly pants. No, it's based on real problems within Debian reported by real Debian users over several years and covering a wide variety of applications. The results have included: 1. broken upgrades - unable to remove, upgrade, purge, reinstall, configure or manually fix the third-party package, leading to an unusable, unbootable system. 2. Corruption of system libraries by embedded copies and broken LD_LIBRARY_PATH rules, causing system crashes and failure to start services like Xorg. 3. Loss of network connections due to broken interaction with other system daemons like dbus or hal. 4. Innumerable system breakages, failures, crashes and indeterminate bugs, only fixed by removing a third party package and which reappear on reinstallation. These are sufficiently serious that some users would be unable to fix their systems without a reinstallation. > Exactly what nasties could be inserted? (OK probably some), but there > has never been a linux virus malware example seen in the wild. You're picture is too narrow, the dangers are not akin to those that blight Windows. The nature of the problems are not the usual malware targets and may indeed arise merely due to incompetence rather than malice. However, the result on users is equivalent. It's not so much about inserting nasties, it is incompetent developers making broken .deb files that are not compatible with Debian Policy and then cause system breakage without the rest of Debian being able to test the results. > There has never been an example of a .deb file from a project website > installing one of these non-existent nasties! You're reading more into my comments than actually specified. > If there had been someone would have noticed fast! Debian (and other distros) have done just that. It isn't just about security issues (which in GNU is more related to buffer overruns and privilege escalation rather than the script kiddie viruses that plague Windows). > It would have been > all over forums like this one and the perps well and truly outed. Search the debian-user archives at lists.debian.org - try looking for problems with printers and combined printer/scanners and users who then install .deb files. At the times that these do need to be used, I will always unpack the downloaded .deb, read and fix the contents and then prepare a genuine Debian package (albeit local) that is Policy Compliant. Most users cannot be expected to do that and so most users are not protected from non-compliant .debs that can break unrelated parts of the OS. > So to > tell someone all this stuff about non existing dangers is paranoid, > irresponsible and hysterical. That simply won't stick. Attacks like that merely reduce your own credibility. The dangers exist but you have looked for them in the wrong area. > Sounds like this particular app is not in the repository because it's > not ready for it and the developers know this. .. and instead of investing the time to work with Debian and fix the problems, they put a broken .deb on a website and think that their work is done. Fools - it is users who lose out. I've spent a lot of time working on packages like this on debian-mentors. 99.9999% of those are absolute crap and need massive numbers of fixes and changes to even get close to Policy Compliance. > I always try and get > stuff from the official/semi official repository's, but if the app isn't > there I'm frankly grateful the project has been thoughtful enough to put > a .deb together. ... until you're hit by some of the problems that random .debs have caused in the past. > As for compiling from source, well unless you're going to inspect it > line by line there could be anything in there! Huh? You trust a random compiled binary more than source code?? Ensure the source code is available for inspection on a free host somewhere, preferably in a version control system, and let someone else verify the code, someone who understands the code. > People who spread this kind of FUD are probably paid to do it by closed > source copyrighted software organisations to scare people away from OSS! I expect an apology for such an insinuation. I could point you to hundreds of incidences where I have personally guided people towards free software and away from proprietary over a period of over 6 years. I do not have to prove my credentials to you or anyone else but I do expect that my achievements and contributions are respected by those who purport to support the aims of this group. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpWOa1iLoNJ6.pgp
Description: PGP signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html