unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: ng0 <ng0@n0.is>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: Ricardo Wurmus <rekado@elephly.net>,
	guix-devel@gnu.org, 29528-done@debbugs.gnu.org
Subject: bug#29528: Add blacknurse
Date: Mon, 4 Dec 2017 16:18:00 +0000	[thread overview]
Message-ID: <20171204161800.oyqxqpshuaoqkuan@abyayala> (raw)
In-Reply-To: <87fu8qsx50.fsf@gnu.org>

[-- Attachment #1: Type: text/plain, Size: 3694 bytes --]

Ludovic Courtès transcribed 1.4K bytes:
> Hi,
> 
> Ricardo Wurmus <rekado@elephly.net> skribis:
> 
> >> +      (home-page "https://github.com/jedisct1/blacknurse")
> >> +      (synopsis "Proof of Concept for the Blacknurse attack")
> >> +      (description
> >> +       "Simple Proof of Concept for the Blacknurse attack.
> >> +Blacknurse is a low bandwidth ICMP attack that is capable of doing denial
> >> +of service to well known firewalls.")
> >
> > The first fragment is not a full sentence.
> >
> > Looking at this package I wonder why it should be part of Guix as it is
> > merely malware.  I don’t see any reason why this should be installable
> > through Guix.  We are not in the habit of providing packages for
> > exploits.  Putting it in “networking” makes it seem like this would be a
> > useful networking application, but it really is not.  It just
> > demonstrates a bug in networked devices.
> >
> > @Ludo: what do you think?
> 
> Indeed.  I see two issues here:
> 
>   1. a “proof of concept” is typically something for experts of the
>      field to study, rather than generally useful software;

Hm... We have some proof of work implementations of software in Guix
I think. In addition I'd think that there are many more professionals
only software. So PoC as an issues is a non-issue to me as long as it
works.

>   2. it’s a tool whose purpose is to perform DoS attacks on routers, and
>      I find it questionable to provide it in Guix (not to mention that
>      there’s no shortage of such programs that we could add!).

And this is the real issue. I fully agree with the statements and
views on this software made by Ricardo and yourself.
I'm taking most of these software from BlackArch, Kali and
other distro-builder distros targeted at pen-testing professionals
in addition to the commercial solutions.
Some of these don't even have license statements, I had chats with
BlackArch to correct a large batch of their own script'ish software.

> So overall I’m reluctant to including it in Guix.
> 
> Thoughts?
> 
> Ludo’.

I haven't read the Documentation in a while, but do we define anything
besides the requirement that a software needs to fit into the GNU FSDG?
I mean more specifically, do we want to come up with a definition for
software (such as this) that won't be included at all, or do we decide
individually per case?
I myself now know what we have agreed upon here, I just don't know if
it would make more sense to define it in the Handbook.
There's a whole lot of software similar to this out there.
For example:
I have a collection of isolated viruses somewhere that is intended for
study only. Of course I know this is definitely not something we should
distribute in master, but there are certain cases where people wouldn't
know wether this is okay to distribute from the official side or not.

In addition to my main projects I'm lowkey working on some kind of
pen-testing repository, so that it can serve as a base for a flavor
of my mechanism for custom distro building automation. Based on the
general mechanism of creating official flavors I could test the ability
to extend on this with for example the theme of pen-testing.
Some of the software can find it way into Guix (some already has),
a large amount of it won't (for obvious reasons).

I'm CC'ing devel and closing this bug, so that we can discuss - if
necessary - the problem of pointing out software like this in and their
restriction in the Handbook.

Thanks,
N.
-- 
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys
  WWW: https://n0.is

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

      reply	other threads:[~2017-12-04 16:19 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-30 19:42 [bug#29528] Add blacknurse ng0
2017-12-03 23:00 ` Ricardo Wurmus
2017-12-03 23:49   ` ng0
2017-12-04 18:24     ` Leo Famulari
2017-12-04  8:41   ` Ludovic Courtès
2017-12-04 16:18     ` ng0 [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171204161800.oyqxqpshuaoqkuan@abyayala \
    --to=ng0@n0.is \
    --cc=29528-done@debbugs.gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=ludo@gnu.org \
    --cc=rekado@elephly.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).