BAD sig on Devuan ISO 1
I will simply employ my scripts tshark-streams and tshark-hosts-conv now (ermh, actually next). For developers it's like drinking water to follow here, but it is attainable knowledge for (really) hardworking common users, whom I always have in mind, as I like to spread good computing, and Devuan is the brightest star around since relatively long. I wish this hasn't happened, and that repeated security failures like this (
there were other issues that I reported, e.g. default login username and password for live Devuan media and files.devua.org cert expired --sic!, with that typo in the subject line-- that I know of
), and I really hope that these few security failures make for lessons having been learned by now, and that Devuan will be getting strong and secure...
I started the former, and participated by sending private notices about the latter of the two issues (because I wanted to help the issue get fixed), and with some nostalgia I need to link at this time to the correct behavior when it comes to telling Devuan team about vulnerabilities:
golinux's reply in "default login username and password for live Devuan media".
And golinux, member of Devuan distro team (the great very loveable themes and designs are of her making), also replied to my PMs about the expired certificate.
Devuan moderators should live up to such kind and honorable standards like golinux showed. The Dng ML moderator shouldn't really have completely misunderstood what my first message was about, probably starting with a prejudice of member's (me) inferiority and dedicating seconds to reading the message, and the few dozen extra kilobytes should really have been allowed to the list...
I've wished/and advocated for systemd-free Debian distro, and participated quite a lot in Debian Forums topics on the matter, mostly those were the same topics where also golinux and edbarx (Edward Bartolo) participated. I also subscribed very early to the Dng ML and tried to help where I could but sadly I was even less skilled back then.
Still, Devuan is my distro too.
If you search on Gentoo Forums you will find a lot of places where I linked to events that were going on in Devuan, and you will often find people appreciative of the information that I was spreading about Devuan. And in many other places.
But, enough said about that.
OTOH, while I could really really not live with systemd, and I most honestly wish Pöttering would leave FOSS and go and do what he is good at, which is serving the big business interests, and not the freedom in computing enshrined in the great unix GNU+Linux distros, neither do I think hiding ("moderating") and censorship, if that be attemped, because, now that I studied this issue for looong hours, this does very much appear to be an successful attack on Devuan leader's PGP keys...
[But, while I most honestly wish Lennart Pöttering left our free FOSS territory and went to work in what he is good at, which is serving the big business,] neither do I think that hiding ("moderating") and censorship could serve any good purpose...
Now it's too late anyway. If I had been replied to, be it in private email, or on the mailing list, in any sensible way, because there are very capable programmers that must have figured out much much earlier than me... than that would have been possible...
It really only is starting to become clear to me how bad, although probably not devastatingly disastrous, the issue seems to be. And some of the really capable Devuan developers I'm sure got the full scale of it if not earlier, than right after I sent my first mail, the one that was dropped --is that really how reporters on vulnerabilities should be treated? dropping their mail along with accusing them of, basically, stupidity?-- from the list...
And for the first few hours since I became aware and wrote about the issue, I was completely uncertain where the cause originated. Just read my first emails where my complete uncertainty about it was obvious.
But instead of taking me at least somewhat seriously, alas! I was, instead, by the Dng list moderator, basically offered to accept that, and resignate to, how grotesquely stupid email I sent...
Which actions by that moderator kind of compelled me to study and show how there was a lot of sense, sadly likely too much sense, in that message...
So now that it is, due to inaction on the part of where getting actionable should have been the way to go, and not hiding and not outward silence, I have to conclude this matter and analyze the two events, of 2017-04-23 16:42 and 2017-04-23 21:02.
In No. 2.
And sincerely I hope I'm doing it for, longer term, more secure and better Devuan. My distro as well.
And may the systemDestruction intruders into sacred FOSS territory leave us alone!
