Ludovic Courtès transcribed 1.4K bytes: > Hi, > > Ricardo Wurmus skribis: > > >> + (home-page "https://github.com/jedisct1/blacknurse") > >> + (synopsis "Proof of Concept for the Blacknurse attack") > >> + (description > >> + "Simple Proof of Concept for the Blacknurse attack. > >> +Blacknurse is a low bandwidth ICMP attack that is capable of doing denial > >> +of service to well known firewalls.") > > > > The first fragment is not a full sentence. > > > > Looking at this package I wonder why it should be part of Guix as it is > > merely malware. I don’t see any reason why this should be installable > > through Guix. We are not in the habit of providing packages for > > exploits. Putting it in “networking” makes it seem like this would be a > > useful networking application, but it really is not. It just > > demonstrates a bug in networked devices. > > > > @Ludo: what do you think? > > Indeed. I see two issues here: > > 1. a “proof of concept” is typically something for experts of the > field to study, rather than generally useful software; Hm... We have some proof of work implementations of software in Guix I think. In addition I'd think that there are many more professionals only software. So PoC as an issues is a non-issue to me as long as it works. > 2. it’s a tool whose purpose is to perform DoS attacks on routers, and > I find it questionable to provide it in Guix (not to mention that > there’s no shortage of such programs that we could add!). And this is the real issue. I fully agree with the statements and views on this software made by Ricardo and yourself. I'm taking most of these software from BlackArch, Kali and other distro-builder distros targeted at pen-testing professionals in addition to the commercial solutions. Some of these don't even have license statements, I had chats with BlackArch to correct a large batch of their own script'ish software. > So overall I’m reluctant to including it in Guix. > > Thoughts? > > Ludo’. I haven't read the Documentation in a while, but do we define anything besides the requirement that a software needs to fit into the GNU FSDG? I mean more specifically, do we want to come up with a definition for software (such as this) that won't be included at all, or do we decide individually per case? I myself now know what we have agreed upon here, I just don't know if it would make more sense to define it in the Handbook. There's a whole lot of software similar to this out there. For example: I have a collection of isolated viruses somewhere that is intended for study only. Of course I know this is definitely not something we should distribute in master, but there are certain cases where people wouldn't know wether this is okay to distribute from the official side or not. In addition to my main projects I'm lowkey working on some kind of pen-testing repository, so that it can serve as a base for a flavor of my mechanism for custom distro building automation. Based on the general mechanism of creating official flavors I could test the ability to extend on this with for example the theme of pen-testing. Some of the software can find it way into Guix (some already has), a large amount of it won't (for obvious reasons). I'm CC'ing devel and closing this bug, so that we can discuss - if necessary - the problem of pointing out software like this in and their restriction in the Handbook. Thanks, N. -- GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys WWW: https://n0.is