--- Begin Message ---
|
Subject: |
Re: [bug#29528] Add blacknurse |
|
Date: |
Mon, 4 Dec 2017 16:18:00 +0000 |
Ludovic Courtès transcribed 1.4K bytes:
> Hi,
>
> Ricardo Wurmus <address@hidden> skribis:
>
> >> + (home-page "https://github.com/jedisct1/blacknurse";)
> >> + (synopsis "Proof of Concept for the Blacknurse attack")
> >> + (description
> >> + "Simple Proof of Concept for the Blacknurse attack.
> >> +Blacknurse is a low bandwidth ICMP attack that is capable of doing denial
> >> +of service to well known firewalls.")
> >
> > The first fragment is not a full sentence.
> >
> > Looking at this package I wonder why it should be part of Guix as it is
> > merely malware. I don’t see any reason why this should be installable
> > through Guix. We are not in the habit of providing packages for
> > exploits. Putting it in “networking” makes it seem like this would be a
> > useful networking application, but it really is not. It just
> > demonstrates a bug in networked devices.
> >
> > @Ludo: what do you think?
>
> Indeed. I see two issues here:
>
> 1. a “proof of concept” is typically something for experts of the
> field to study, rather than generally useful software;
Hm... We have some proof of work implementations of software in Guix
I think. In addition I'd think that there are many more professionals
only software. So PoC as an issues is a non-issue to me as long as it
works.
> 2. it’s a tool whose purpose is to perform DoS attacks on routers, and
> I find it questionable to provide it in Guix (not to mention that
> there’s no shortage of such programs that we could add!).
And this is the real issue. I fully agree with the statements and
views on this software made by Ricardo and yourself.
I'm taking most of these software from BlackArch, Kali and
other distro-builder distros targeted at pen-testing professionals
in addition to the commercial solutions.
Some of these don't even have license statements, I had chats with
BlackArch to correct a large batch of their own script'ish software.
> So overall I’m reluctant to including it in Guix.
>
> Thoughts?
>
> Ludo’.
I haven't read the Documentation in a while, but do we define anything
besides the requirement that a software needs to fit into the GNU FSDG?
I mean more specifically, do we want to come up with a definition for
software (such as this) that won't be included at all, or do we decide
individually per case?
I myself now know what we have agreed upon here, I just don't know if
it would make more sense to define it in the Handbook.
There's a whole lot of software similar to this out there.
For example:
I have a collection of isolated viruses somewhere that is intended for
study only. Of course I know this is definitely not something we should
distribute in master, but there are certain cases where people wouldn't
know wether this is okay to distribute from the official side or not.
In addition to my main projects I'm lowkey working on some kind of
pen-testing repository, so that it can serve as a base for a flavor
of my mechanism for custom distro building automation. Based on the
general mechanism of creating official flavors I could test the ability
to extend on this with for example the theme of pen-testing.
Some of the software can find it way into Guix (some already has),
a large amount of it won't (for obvious reasons).
I'm CC'ing devel and closing this bug, so that we can discuss - if
necessary - the problem of pointing out software like this in and their
restriction in the Handbook.
Thanks,
N.
--
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys
WWW: https://n0.is
signature.asc
Description: PGP signature
--- End Message ---
0001-gnu-Add-blacknurse.patch