From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50508) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLe1N-0007qY-F8 for guix-patches@gnu.org; Sun, 03 Dec 2017 18:50:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eLe1K-0006iI-8p for guix-patches@gnu.org; Sun, 03 Dec 2017 18:50:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:35287) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eLe1K-0006iE-4o for guix-patches@gnu.org; Sun, 03 Dec 2017 18:50:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eLe1J-00073K-RD for guix-patches@gnu.org; Sun, 03 Dec 2017 18:50:01 -0500 Subject: [bug#29528] Add blacknurse Resent-Message-ID: Date: Sun, 3 Dec 2017 23:49:10 +0000 From: ng0 Message-ID: <20171203234910.w22jwdr6fzdxe26i@abyayala> References: <20171130194227.bpe4l2ccvcrr5spb@abyayala> <874lp74dtz.fsf@elephly.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="2phngdegnrlm4qdv" Content-Disposition: inline In-Reply-To: <874lp74dtz.fsf@elephly.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ricardo Wurmus Cc: 29528@debbugs.gnu.org --2phngdegnrlm4qdv Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ricardo Wurmus transcribed 2.1K bytes: >=20 > Hi ng0, >=20 > > +(define-public blacknurse > > + (let* ((commit "d2a2b23544295844714ebf8d2d78af37fe5770c9") > > + (revision "1")) > > + (package > > + (name "blacknurse") > > + (version (string-append "0.0.0-" revision "." (string-take commi= t 7))) > > + (source > > + (origin > > + (method git-fetch) > > + (uri (git-reference > > + (url "https://github.com/jedisct1/blacknurse") > > + (commit commit))) > > + (file-name (string-append name "-" version)) >=20 > This should be =E2=80=9C(file-name (string-append name "-" version "-chec= kout"))=E2=80=9D. >=20 > > + (sha256 > > + (base32 > > + "1w7zmcrnrs4p4naj3i6h1wcmd56dgrfd7myx0ljhw162sg0134nz")))) > > + (build-system gnu-build-system) > > + (arguments > > + `(#:make-flags (list "CC=3Dgcc") > > + #:tests? #f ; No tests > > + #:phases > > + (modify-phases %standard-phases > > + (delete 'configure) ; No configure script > > + (replace 'install > > + (lambda* (#:key outputs #:allow-other-keys) > > + (let* ((out (assoc-ref outputs "out")) > > + (bin (string-append out "/bin"))) > > + (install-file "blacknurse" bin))))))) >=20 > This should end on #t. >=20 > > + (home-page "https://github.com/jedisct1/blacknurse") > > + (synopsis "Proof of Concept for the Blacknurse attack") > > + (description > > + "Simple Proof of Concept for the Blacknurse attack. > > +Blacknurse is a low bandwidth ICMP attack that is capable of doing den= ial > > +of service to well known firewalls.") >=20 > The first fragment is not a full sentence. >=20 > Looking at this package I wonder why it should be part of Guix as it is > merely malware. I don=E2=80=99t see any reason why this should be instal= lable > through Guix. We are not in the habit of providing packages for > exploits. Putting it in =E2=80=9Cnetworking=E2=80=9D makes it seem like = this would be a > useful networking application, but it really is not. It just > demonstrates a bug in networked devices. >=20 > @Ludo: what do you think? >=20 > -- > Ricardo >=20 > GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC > https://elephly.net To some extent I agree, I'm just probing where we draw the line in pen-testing software. I have a repository for those, and I'll add a comment to get an idea for what we decide on. blacknurse for me was a grey area in a new class of pen-testing software I haven't sent before. Software written with malicious intentions or such that can be interpreted / used with those has a broad range, some of it will be okay for us in Guix, some of it won't be okay. I draw the line at explicitly malicious. Blacknurse was kinda okay for me, but I think your comment is enough to let me put it in the case-by-case 'malicious' category. Runs an PoC exploit targeted at launching an attack against unpatched firewalls -> bad. Eventually this should help getting a list of example software we will not accept in Guix, if someone else tries. --=20 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys WWW: https://n0.is --2phngdegnrlm4qdv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlokjXYACgkQ4i+bv+40 hYjBxxAAh0tJW9UflQL8DlWl7u0iJETy2SWI1VheB8h5c3itT9ZiGxcTNNzhR28r Obz/mTz50b3NHb+HajwCRLE3IKlYI7AhY2U0tddgmFawziAQTVmquud9YFwVHNYE flxva+0FOBQiPxX1GfMCuVrwTTJWUG/38wYtwxxnvGRw4p53+DZ3OjWt9Goefw9w G1/uk6pcS4/L3zZ/WFqtoAvRi6Xeo3ZDRCmhfw0aSKCc+FqVveZywq74SmOoQHDt hZkUgQJX47lSWodcjfIwQJ+6nktoOH15G0KL71WFeDuSrzjfozJ0Mj5SqAJCMXGj 4EUGM2hFeRR8TNauidq4R+k8iyGbYCqWR88Whaola81SnVU70OpEIWPo3M+Hjdf4 KjexXRSVhImp3KlMRhj7NNbgrdt1Sf/AqS0tPxQQrJfn+EflNv4WMtlDIbRE3r3U YNeSmFbHZ17LtCPJ/riUuOIEb+VqB8nX0AdutX7/dWw9d/SHAKU3ph2sNrOL1MTH KefjGH4Y56PffB0RB5gGHf+H22geAlOyJ2jKw1WD0fHInPdGGit0xN1scNFsyn1z eW5PAp4H5ZaGgKiPktGR2QWf1xQxpSqrGT41Zyp2YKlBWxmIeb0sXiDdsT9Rx5F4 vRpF3faXDWUfBPy7n44fdhrS15u4k3o/2usrnyaYfWu8602FK3g= =eo3s -----END PGP SIGNATURE----- --2phngdegnrlm4qdv--