Debian Bug report logs - #629373
Remote DoS with vsftpd on Linux 2.6.32

version graph

Package: vsftpd; Maintainer for vsftpd is Daniel Baumann <mail@daniel-baumann.ch>; Source for vsftpd is src:vsftpd.

Reported by: Ben Hutchings <ben@decadent.org.uk>

Date: Mon, 6 Jun 2011 04:39:01 UTC

Severity: serious

Tags: security

Found in version vsftpd/2.3.2-3

Fixed in version vsftpd/2.3.4-1

Done: Daniel Baumann <daniel.baumann@progress-technologies.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-kernel@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Mon, 06 Jun 2011 04:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
New Bug report received and forwarded. Copy sent to debian-kernel@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>. (Mon, 06 Jun 2011 04:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: submit@bugs.debian.org
Subject: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 06 Jun 2011 05:36:08 +0100
[Message part 1 (text/plain, inline)]
Package: vsftpd
Version: 2.3.2-3
Tags: security
Severity: important
X-Debbugs-Cc: debian-kernel@lists.debian.org

The bug is described by Serge Hallyn below, and in Ubuntu bug #720095
<https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095>.

In short, I agree with Serge that the network namespace feature in the
kernel is useful and should be retained in squeeze, given that only
privileged users can (directly) use it.  vsftpd must not create a
network namespace per connection without a kernel version check.

Ben.

-------- Forwarded Message --------
From: Serge Hallyn <serge.hallyn@canonical.com>
To: kernel-team@lists.ubuntu.com, ubuntu-server@lists.ubuntu.com
Subject: CONFIG_NET_NS
Date: Wed, 1 Jun 2011 13:57:38 -0500

Hi,

vsftpd spawns a network namespace in response to each client connection.
Lucid kernel is slow to release network namespaces, which results, in
bug 720095, in an easy remote DOS.  The maverick kernel has a fix for
this, but it is hard to cherrypick.

The bug was resolved by compiling the lucid kernel without
CONFIG_NET_NS.  I'm emailing to ask that we reconsider that solution.

Turning off CONFIG_NET_NS prevents libvirt from creating all containers
(lxc:///), and prevents lxc from creating most useful containers,
resulting in bug 790863.  There is the workaround of installing the
backported kernel, but I don't believe that will satiate users who
really want LTS stability.  For those users, we are effectively telling
them that they cannot use containers until 12/04.

What I don't believe has been discussed is that CLONE_NEWNET requires
privilege.  The vsftpd bug was bad because anyone could trigger it with
a set of remote connections.  But that is easily fixed by patching
vsftpd to not use CLONE_NEWNET.  As Stefan noted in irc, there is the
threat that other services use CLONE_NEWNET.  Though I've grepped some
of my local sources for samba, dhclient, postfix, apache, mysql, squid
etc, and have found no others using CLONE_NEWNET so far.  That doesn't
mean there aren't any, but I argue that the risk is far outweighed by
not supporting containers in lucid.

Thanks for your time :)

thanks,
-serge

-- 
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team


-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Mon, 06 Jun 2011 05:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Mon, 06 Jun 2011 05:18:05 GMT) Full text and rfc822 format available.

Message #10 received at 629373@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 06 Jun 2011 06:15:08 +0100
[Message part 1 (text/plain, inline)]
This patch should provide the necessary kernel version check, but I
haven't tested it.

Ben.

--- vsftpd-2.3.2.orig/sysdeputil.c
+++ vsftpd-2.3.2/sysdeputil.c
@@ -25,6 +25,11 @@
   #define _LARGEFILE64_SOURCE 1
 #endif
 
+#ifdef __linux__
+  #include <stdio.h>
+  #include <sys/utsname.h>
+#endif
+
 /* For INT_MAX */
 #include <limits.h>
 
@@ -1261,11 +1266,36 @@
 #endif
 }
 
+#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
+/* On Linux versions <2.6.35, netns cleanup may be so slow that
+ * creating a netns per connection allows a remote denial-of-service.
+ * We therefore do not use CLONE_NEWNET on these versions.
+ */
+static int
+vsf_sysutil_netns_cleanup_is_fast(void)
+{
+#ifdef __linux__
+  struct utsname utsname;
+  int r1, r2, r3 = 0;
+  return (uname(&utsname) == 0 &&
+	  sscanf(utsname.release, "%d.%d.%d", &r1, &r2, &r3) >= 2 &&
+	  ((r1 << 16) | (r2 << 8) | r3) >= ((2 << 16) | (6 << 8) | 35));
+#else
+  /* Assume any other kernel that has the feature don't have this problem */
+  return 1;
+#endif
+}
+#endif
+
 int
 vsf_sysutil_fork_isolate_all_failok()
 {
 #ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
-  static int cloneflags_work = 1;
+  static int cloneflags_work = -1;
+  if (cloneflags_work < 0)
+  {
+    cloneflags_work = vsf_sysutil_netns_cleanup_is_fast();
+  }
   if (cloneflags_work)
   {
     int ret = syscall(__NR_clone,
@@ -1311,7 +1341,11 @@
 vsf_sysutil_fork_newnet()
 {
 #ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
-  static int cloneflags_work = 1;
+  static int cloneflags_work = -1;
+  if (cloneflags_work < 0)
+  {
+    cloneflags_work = vsf_sysutil_netns_cleanup_is_fast();
+  }
   if (cloneflags_work)
   {
     int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL);
--- END ---

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Tue, 19 Jul 2011 12:20:54 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Tue, 19 Jul 2011 12:21:11 GMT) Full text and rfc822 format available.

Message #15 received at 629373@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: Ben Hutchings <ben@decadent.org.uk>, 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Tue, 19 Jul 2011 13:15:32 +0100
On Mon, Jun 06, 2011 at 06:15:08AM +0100, Ben Hutchings wrote:
>This patch should provide the necessary kernel version check, but I
>haven't tested it.
>
>Ben.
>
>--- vsftpd-2.3.2.orig/sysdeputil.c
>+++ vsftpd-2.3.2/sysdeputil.c
>@@ -25,6 +25,11 @@
>   #define _LARGEFILE64_SOURCE 1
> #endif
> 
>+#ifdef __linux__
>+  #include <stdio.h>
>+  #include <sys/utsname.h>
>+#endif
>+
> /* For INT_MAX */
> #include <limits.h>
> 
>@@ -1261,11 +1266,36 @@
> #endif
> }
> 
>+#ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
>+/* On Linux versions <2.6.35, netns cleanup may be so slow that
>+ * creating a netns per connection allows a remote denial-of-service.
>+ * We therefore do not use CLONE_NEWNET on these versions.
>+ */
>+static int
>+vsf_sysutil_netns_cleanup_is_fast(void)
>+{
>+#ifdef __linux__
>+  struct utsname utsname;
>+  int r1, r2, r3 = 0;
>+  return (uname(&utsname) == 0 &&
>+	  sscanf(utsname.release, "%d.%d.%d", &r1, &r2, &r3) >= 2 &&
>+	  ((r1 << 16) | (r2 << 8) | r3) >= ((2 << 16) | (6 << 8) | 35));
>+#else
>+  /* Assume any other kernel that has the feature don't have this problem */
>+  return 1;
>+#endif
>+}
>+#endif
>+
> int
> vsf_sysutil_fork_isolate_all_failok()
> {
> #ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
>-  static int cloneflags_work = 1;
>+  static int cloneflags_work = -1;
>+  if (cloneflags_work < 0)
>+  {
>+    cloneflags_work = vsf_sysutil_netns_cleanup_is_fast();
>+  }
>   if (cloneflags_work)
>   {
>     int ret = syscall(__NR_clone,
>@@ -1311,7 +1341,11 @@
> vsf_sysutil_fork_newnet()
> {
> #ifdef VSF_SYSDEP_HAVE_LINUX_CLONE
>-  static int cloneflags_work = 1;
>+  static int cloneflags_work = -1;
>+  if (cloneflags_work < 0)
>+  {
>+    cloneflags_work = vsf_sysutil_netns_cleanup_is_fast();
>+  }
>   if (cloneflags_work)
>   {
>     int ret = syscall(__NR_clone, CLONE_NEWNET | SIGCHLD, NULL);

This simple patch seems to work just fine for me, and has stopped a
severe DOS here.

Daniel: any chance of a stable-security update for this please?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
You raise the blade, you make the change... You re-arrange me 'til I'm sane...





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Mon, 05 Sep 2011 11:45:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Mon, 05 Sep 2011 11:45:30 GMT) Full text and rfc822 format available.

Message #20 received at 629373@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: 629373@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 5 Sep 2011 12:41:58 +0100
severity 629373 serious
thanks

On Tue, Jul 19, 2011 at 01:15:24PM +0100, Steve McIntyre wrote:
>
>This simple patch seems to work just fine for me, and has stopped a
>severe DOS here.
>
>Daniel: any chance of a stable-security update for this please?

Ping?

Raising severity to serious as this is a major issue.

Daniel, you have a security bug and a serious DoS bug open again
vsftpd, and no maintainer upload since 2010. Are you planning on
working on this package at some point?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Because heaters aren't purple!" -- Catherine Pitt





Severity set to 'serious' from 'important' Request was from Steve McIntyre <steve@einval.com> to control@bugs.debian.org. (Mon, 05 Sep 2011 11:45:36 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Mon, 05 Sep 2011 12:01:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@progress-technologies.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Mon, 05 Sep 2011 12:01:44 GMT) Full text and rfc822 format available.

Message #27 received at 629373@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: 629373@bugs.debian.org
Subject: Re: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 05 Sep 2011 13:51:39 +0200
tag 629373 pending
thanks

fixed in git.

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/




Added tag(s) pending. Request was from Daniel Baumann <daniel.baumann@progress-technologies.net> to control@bugs.debian.org. (Mon, 05 Sep 2011 12:02:56 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Mon, 05 Sep 2011 12:43:21 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Dowland <jmtd@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Mon, 05 Sep 2011 12:43:27 GMT) Full text and rfc822 format available.

Message #34 received at 629373@bugs.debian.org (full text, mbox):

From: Jon Dowland <jmtd@debian.org>
To: daniel.baumann@progress-technologies.net, 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 5 Sep 2011 13:29:30 +0100
On Mon, Sep 05, 2011 at 01:51:39PM +0200, Daniel Baumann wrote:
> tag 629373 pending
> thanks
> 
> fixed in git.

You forgot (or haven't got around to) pushing back to git.debian.org…




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@lists.debian-maintainers.org>:
Bug#629373; Package vsftpd. (Mon, 05 Sep 2011 13:00:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@progress-technologies.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@lists.debian-maintainers.org>. (Mon, 05 Sep 2011 13:00:24 GMT) Full text and rfc822 format available.

Message #39 received at 629373@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: Jon Dowland <jmtd@debian.org>
Cc: 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 05 Sep 2011 14:58:27 +0200
On 09/05/2011 02:29 PM, Jon Dowland wrote:
> You forgot (or haven't got around to) pushing back to git.debian.org…

i never used git.debian.org in the first place.

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/




Reply sent to Daniel Baumann <daniel.baumann@progress-technologies.net>:
You have taken responsibility. (Mon, 05 Sep 2011 14:51:05 GMT) Full text and rfc822 format available.

Notification sent to Ben Hutchings <ben@decadent.org.uk>:
Bug acknowledged by developer. (Mon, 05 Sep 2011 14:51:05 GMT) Full text and rfc822 format available.

Message #44 received at 629373-close@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: 629373-close@bugs.debian.org
Subject: Bug#629373: fixed in vsftpd 2.3.4-1
Date: Mon, 05 Sep 2011 14:49:25 +0000
Source: vsftpd
Source-Version: 2.3.4-1

We believe that the bug you reported is fixed in the latest version of
vsftpd, which is due to be installed in the Debian FTP archive:

vsftpd_2.3.4-1.debian.tar.gz
  to main/v/vsftpd/vsftpd_2.3.4-1.debian.tar.gz
vsftpd_2.3.4-1.dsc
  to main/v/vsftpd/vsftpd_2.3.4-1.dsc
vsftpd_2.3.4-1_i386.deb
  to main/v/vsftpd/vsftpd_2.3.4-1_i386.deb
vsftpd_2.3.4.orig.tar.gz
  to main/v/vsftpd/vsftpd_2.3.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629373@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <daniel.baumann@progress-technologies.net> (supplier of updated vsftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Sep 2011 15:55:00 +0200
Source: vsftpd
Binary: vsftpd
Architecture: source i386
Version: 2.3.4-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Baumann <daniel.baumann@progress-technologies.net>
Changed-By: Daniel Baumann <daniel.baumann@progress-technologies.net>
Description: 
 vsftpd     - lightweight, efficient FTP server written for security
Closes: 629373 630075 634725
Changes: 
 vsftpd (2.3.4-1) unstable; urgency=low
 .
   * Merging upstream version 2.3.4:
   * Updating maintainer and uploaders fields.
   * Removing vcs fields.
   * Removing references to my old email address.
   * Makging packaging distribution neutral.
   * Updating years in copyright file.
   * Updating to standards version 3.9.2.
   * Compacting copyright file.
   * Updating debconf-po files.
   * Dropping alpha.patch, not supported anymore.
   * Renumbering patches.
   * Rediffing s390.patch.
   * Simplifying architecture listing for libcap2-dev build-depends,
     thanks to Robert Millan <rmh@debian.org> (Closes: #634725).
   * Adding Catalan debconf translations from Innocent De Marchi
     <tangram.peces@gmail.com> (Closes: #630075).
   * Adding patch from Ben Hutchings <ben@decadent.org.uk> to fix a
     remote DoS on Linux 2.6.32 (Closes: #629373).
Checksums-Sha1: 
 618cd1df14b53474a3bbab14d10a93f650643af7 1088 vsftpd_2.3.4-1.dsc
 b774cc6b4c50e20f4fe9ca7f6aa74169ce7fe5ea 187043 vsftpd_2.3.4.orig.tar.gz
 79cd005b51706dca5ec141454f810e0af6e7be07 25181 vsftpd_2.3.4-1.debian.tar.gz
 05b8da03fcc0107d2b286fb2855f7d38be5598bb 152214 vsftpd_2.3.4-1_i386.deb
Checksums-Sha256: 
 29aa6148c7fa6aeea965fb525946b674f0ba73b7c742bdb784cfa5621c7ccbbd 1088 vsftpd_2.3.4-1.dsc
 b466edf96437afa2b2bea6981d4ab8b0204b83ca0a2ac94bef6b62b42cc71a5a 187043 vsftpd_2.3.4.orig.tar.gz
 10d96d87e13ddb280a8cb3ade64b4962e59e129f698e34415e1a5595751c1f8a 25181 vsftpd_2.3.4-1.debian.tar.gz
 c8c6527920f5427287b91aedcdcf86067648e4da35547c3aa267f2e12fcdd2ab 152214 vsftpd_2.3.4-1_i386.deb
Files: 
 2f5569973a51f8d26df4a69b385f9a1e 1088 net extra vsftpd_2.3.4-1.dsc
 2ea5d19978710527bb7444d93b67767a 187043 net extra vsftpd_2.3.4.orig.tar.gz
 6724cf294cb2fe6b556d5a26d3950a0f 25181 net extra vsftpd_2.3.4-1.debian.tar.gz
 cb503dac460895553b44defa4a1f757e 152214 net extra vsftpd_2.3.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk5k1+cACgkQ+C5cwEsrK54ftACeMY5mdlJwaqkxsBZN4f2SEK+Z
npAAoK3DGOFByV9NNT37q8inCWCMDKQA
=WA5B
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#629373; Package vsftpd. (Mon, 05 Sep 2011 21:45:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Dowland <jmtd@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>. (Mon, 05 Sep 2011 21:45:24 GMT) Full text and rfc822 format available.

Message #49 received at 629373@bugs.debian.org (full text, mbox):

From: Jon Dowland <jmtd@debian.org>
To: Daniel Baumann <daniel.baumann@progress-technologies.net>
Cc: 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 5 Sep 2011 21:42:03 +0100
On Mon, Sep 05, 2011 at 02:58:27PM +0200, Daniel Baumann wrote:
> On 09/05/2011 02:29 PM, Jon Dowland wrote:
> >You forgot (or haven't got around to) pushing back to git.debian.org…
> 
> i never used git.debian.org in the first place.

So you didn't.  So instead I should have written:

You forgot (or haven't got around to) pushing back to git.debian-maintainers.org…

However, http://git.debian-maintainers.org/?p=daniel/vsftpd.git is now a 404.

I see in the changelog:

   * Removing vcs fields.

Not helpful ☹





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#629373; Package vsftpd. (Mon, 05 Sep 2011 21:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to daniel.baumann@progress-technologies.net:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>. (Mon, 05 Sep 2011 21:54:07 GMT) Full text and rfc822 format available.

Message #54 received at 629373@bugs.debian.org (full text, mbox):

From: Daniel Baumann <daniel.baumann@progress-technologies.net>
To: Jon Dowland <jmtd@debian.org>
Cc: 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Mon, 05 Sep 2011 23:51:06 +0200
On 09/05/2011 10:42 PM, Jon Dowland wrote:
>> i never used git.debian.org in the first place.
>
> So you didn't.  So instead I should have written:
>
> You forgot (or haven't got around to) pushing back to git.debian-maintainers.org…
>
> However, http://git.debian-maintainers.org/?p=daniel/vsftpd.git is now a 404.

first of all..

i used to use git.debian.net as git.debian.org is unusable (for 
starters, it's not using a ssh gatekeeper). people accused me abusing 
debian ressources (sic; it's a debian.net domain name!). so i switched 
over the course of two years all my packages to 
git.debian-maintainers.org. when i was finished, people accused me, 
amonst others, of hiding maintainer ship by, amonst others, using 
non-alioth infrastructure.

what i learned from this? never ever use any domain matching 
(.*)debian(.*) anymore for anything (live.d.n being the only exception) 
and not referencing vcs in control anymore anywhere...

> I see in the changelog:
>
>     * Removing vcs fields.
>
> Not helpful ☹

...and guess what? you people keep complaining.

in order to further minimize that, next time, i will just tag bugs 
pending without mentioning git or version control or anything like that.

second, the repo on git.d-m.o was outdated since quite some time, i just 
forgot to remove it, which i did today after uploading the new one to 
the new location. i soon can get rid of the whole domain anyway once all 
my packages have been moved.

third, in debian[tm], maintainers are free to use whatever version 
control they seem fit, or none at all. so from your point of view, i see 
no point in being any better of as if i would not use any version 
control at all.

not amused.

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/




Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel.baumann@progress-technologies.net>:
Bug#629373; Package vsftpd. (Tue, 06 Sep 2011 08:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jon Dowland <jmtd@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel.baumann@progress-technologies.net>. (Tue, 06 Sep 2011 08:45:06 GMT) Full text and rfc822 format available.

Message #59 received at 629373@bugs.debian.org (full text, mbox):

From: Jon Dowland <jmtd@debian.org>
To: Daniel Baumann <daniel.baumann@progress-technologies.net>
Cc: 629373@bugs.debian.org
Subject: Re: Bug#629373: Remote DoS with vsftpd on Linux 2.6.32
Date: Tue, 6 Sep 2011 09:41:39 +0100
On Mon, Sep 05, 2011 at 11:51:06PM +0200, Daniel Baumann wrote:
> ...and guess what? you people keep complaining.
                     ^^^^^^^^^^

Do not make the mistake of considering everyone in Debian as being
the same.  You've obviously had some bad experiences with some
people in the past, regarding your tale of using various git
repositories.  I'm sorry for that, but whoever they were, I am not
one of those people.

If you average your bad experiences across the whole community, you
will just bring the negativity with you to future interactions.

> third, in debian[tm], maintainers are free to use whatever version
> control they seem fit, or none at all. so from your point of view, i
> see no point in being any better of as if i would not use any
> version control at all.

Public package repositories and VCS-* headers are a service that
maintainers can offer to their users which is greatly appreciated by
some (including me).  When I read you'd committed the patch,  I
attempted to clone and build vsftpd, which would have been (a bit)
quicker for me than applying Ben's patch to the current package
version.  It would also mean that any patch fudging necessary was
already done.

You used to offer the service and now you have withdrawn it. This
seemed to be in response to me pointing out that you hadn't pushed
the commit:  I realise now that this was coincidence, but the
impression it gave was of "throwing your toys out of the pram".
Thanks for clarifying.

> not amused.

I don't recall telling a joke.


-- 
Jon Dowland





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:56:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:41:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.