[bug#29528] Add blacknurse

[ng0 <ng0@n0.is>]

[-- Attachment #1: Type: text/plain, Size: 3326 bytes --]

Ricardo Wurmus transcribed 2.1K bytes:
> 
> Hi ng0,
> 
> > +(define-public blacknurse
> > +  (let* ((commit "d2a2b23544295844714ebf8d2d78af37fe5770c9")
> > +         (revision "1"))
> > +    (package
> > +      (name "blacknurse")
> > +      (version (string-append "0.0.0-" revision "." (string-take commit 7)))
> > +      (source
> > +       (origin
> > +         (method git-fetch)
> > +         (uri (git-reference
> > +               (url "https://github.com/jedisct1/blacknurse")
> > +               (commit commit)))
> > +         (file-name (string-append name "-" version))
> 
> This should be “(file-name (string-append name "-" version "-checkout"))”.
> 
> > +         (sha256
> > +          (base32
> > +           "1w7zmcrnrs4p4naj3i6h1wcmd56dgrfd7myx0ljhw162sg0134nz"))))
> > +      (build-system gnu-build-system)
> > +      (arguments
> > +       `(#:make-flags (list "CC=gcc")
> > +         #:tests? #f ; No tests
> > +         #:phases
> > +         (modify-phases %standard-phases
> > +           (delete 'configure) ; No configure script
> > +           (replace 'install
> > +             (lambda* (#:key outputs #:allow-other-keys)
> > +               (let* ((out (assoc-ref outputs "out"))
> > +                      (bin (string-append out "/bin")))
> > +                 (install-file "blacknurse" bin)))))))
> 
> This should end on #t.
> 
> > +      (home-page "https://github.com/jedisct1/blacknurse")
> > +      (synopsis "Proof of Concept for the Blacknurse attack")
> > +      (description
> > +       "Simple Proof of Concept for the Blacknurse attack.
> > +Blacknurse is a low bandwidth ICMP attack that is capable of doing denial
> > +of service to well known firewalls.")
> 
> The first fragment is not a full sentence.
> 
> Looking at this package I wonder why it should be part of Guix as it is
> merely malware.  I don’t see any reason why this should be installable
> through Guix.  We are not in the habit of providing packages for
> exploits.  Putting it in “networking” makes it seem like this would be a
> useful networking application, but it really is not.  It just
> demonstrates a bug in networked devices.
> 
> @Ludo: what do you think?
> 
> --
> Ricardo
> 
> GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
> https://elephly.net

To some extent I agree, I'm just probing where we draw the
line in pen-testing software.
I have a repository for those, and I'll add a comment to
get an idea for what we decide on. blacknurse for me
was a grey area in a new class of pen-testing software
I haven't sent before.
Software written with malicious intentions or such that
can be interpreted / used with those has a broad range,
some of it will be okay for us in Guix, some of it won't
be okay.
I draw the line at explicitly malicious. Blacknurse was
kinda okay for me, but I think your comment is enough
to let me put it in the case-by-case 'malicious' category.
Runs an PoC exploit targeted at launching an attack against
unpatched firewalls -> bad.

Eventually this should help getting a list of example
software we will not accept in Guix, if someone else
tries.
-- 
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys
  WWW: https://n0.is

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]