From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46956) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eLtSX-0001oR-SA for guix-patches@gnu.org; Mon, 04 Dec 2017 11:19:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eLtSR-0001tf-Ft for guix-patches@gnu.org; Mon, 04 Dec 2017 11:19:09 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:37014) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eLtSR-0001tU-Bh for guix-patches@gnu.org; Mon, 04 Dec 2017 11:19:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eLtSR-0004j0-6F for guix-patches@gnu.org; Mon, 04 Dec 2017 11:19:03 -0500 Subject: bug#29528: Add blacknurse Resent-To: guix-patches@gnu.org Resent-Message-ID: Date: Mon, 4 Dec 2017 16:18:00 +0000 From: ng0 Message-ID: <20171204161800.oyqxqpshuaoqkuan@abyayala> References: <20171130194227.bpe4l2ccvcrr5spb@abyayala> <874lp74dtz.fsf@elephly.net> <87fu8qsx50.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="k7lyfjtkpxnq4kgu" Content-Disposition: inline In-Reply-To: <87fu8qsx50.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Ricardo Wurmus , guix-devel@gnu.org, 29528-done@debbugs.gnu.org --k7lyfjtkpxnq4kgu Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s transcribed 1.4K bytes: > Hi, >=20 > Ricardo Wurmus skribis: >=20 > >> + (home-page "https://github.com/jedisct1/blacknurse") > >> + (synopsis "Proof of Concept for the Blacknurse attack") > >> + (description > >> + "Simple Proof of Concept for the Blacknurse attack. > >> +Blacknurse is a low bandwidth ICMP attack that is capable of doing de= nial > >> +of service to well known firewalls.") > > > > The first fragment is not a full sentence. > > > > Looking at this package I wonder why it should be part of Guix as it is > > merely malware. I don=E2=80=99t see any reason why this should be inst= allable > > through Guix. We are not in the habit of providing packages for > > exploits. Putting it in =E2=80=9Cnetworking=E2=80=9D makes it seem lik= e this would be a > > useful networking application, but it really is not. It just > > demonstrates a bug in networked devices. > > > > @Ludo: what do you think? >=20 > Indeed. I see two issues here: >=20 > 1. a =E2=80=9Cproof of concept=E2=80=9D is typically something for expe= rts of the > field to study, rather than generally useful software; Hm... We have some proof of work implementations of software in Guix I think. In addition I'd think that there are many more professionals only software. So PoC as an issues is a non-issue to me as long as it works. > 2. it=E2=80=99s a tool whose purpose is to perform DoS attacks on route= rs, and > I find it questionable to provide it in Guix (not to mention that > there=E2=80=99s no shortage of such programs that we could add!). And this is the real issue. I fully agree with the statements and views on this software made by Ricardo and yourself. I'm taking most of these software from BlackArch, Kali and other distro-builder distros targeted at pen-testing professionals in addition to the commercial solutions. Some of these don't even have license statements, I had chats with BlackArch to correct a large batch of their own script'ish software. > So overall I=E2=80=99m reluctant to including it in Guix. >=20 > Thoughts? >=20 > Ludo=E2=80=99. I haven't read the Documentation in a while, but do we define anything besides the requirement that a software needs to fit into the GNU FSDG? I mean more specifically, do we want to come up with a definition for software (such as this) that won't be included at all, or do we decide individually per case? I myself now know what we have agreed upon here, I just don't know if it would make more sense to define it in the Handbook. There's a whole lot of software similar to this out there. For example: I have a collection of isolated viruses somewhere that is intended for study only. Of course I know this is definitely not something we should distribute in master, but there are certain cases where people wouldn't know wether this is okay to distribute from the official side or not. In addition to my main projects I'm lowkey working on some kind of pen-testing repository, so that it can serve as a base for a flavor of my mechanism for custom distro building automation. Based on the general mechanism of creating official flavors I could test the ability to extend on this with for example the theme of pen-testing. Some of the software can find it way into Guix (some already has), a large amount of it won't (for obvious reasons). I'm CC'ing devel and closing this bug, so that we can discuss - if necessary - the problem of pointing out software like this in and their restriction in the Handbook. Thanks, N. --=20 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys WWW: https://n0.is --k7lyfjtkpxnq4kgu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAloldTgACgkQ4i+bv+40 hYjTORAAuLj9QPGk5rqBUdUkmoVITFZekPEZQac94mHWvZqTjeMl7tFn3FxtuPrs hG+erk4WXwOuCjAVaUCThWd2mignEldeGf4eZiKqUFyUNlpLeqIw/UdGAUIEJJtD kjw863mEs+IZ2brjFYp1EwRJO7S5te8i+S+phLBzpYvA/QmSjQpG1FNlTQ7sXvtP Bn8N2srzvVs6Lvy1rEQfV7F6szOm8U59D2qCXLMj/XQiNTBez/cqOUrr/NYkImvI DFVxkBqGwTEAPhTqLQ4V2kxIycceMZqFGSYgJnQ3cjCQn+UNojlO5fhsmfHUo4gP C6w8rEocdfCcmDuSa+uIKRwpq5PhsXUalvlnPHM0wS6kVouSIgjMbw+gBC2RJXTK znt4SsVzb1ahR/mEeoWEN7rOy/6i49oIMkc1iDGbaBQ57ERnaORUt+rFSr3HP7le 6LETMdKlZuVcJqUIxH8rq9xBhPggEPBnlOVE4Rk/85JEN5d6ShkmVsBXo927Xg3g AN6wyCxtjkfZ2AWA+9D+wPbmmveHOI7mY6nG2w4p5sHaeOl42xvGprovCZEUNkHF OPPEV53MNntegSd1T+AKu3uEJ4Qu+0m+CMGBWwijxCsRG2X6R0OxzzlFMDrh3BH0 Y5G5qo4JRChXm+H33+nmn43DX/mYP0PQmmoRtXN/1y3IY9ixFfE= =Gm+9 -----END PGP SIGNATURE----- --k7lyfjtkpxnq4kgu--