nominate for removal: ethereal
Phil Knirsch
pknirsch at redhat.com
Thu Jul 8 10:21:25 UTC 2004
seth vidal wrote:
> So, would it be completely inappropriate to nominate ethereal for
> removal from fc3 due to its spotty history of security problems?
>
> It seems like an excellent place to start thinking of packages that
> should be maintained, in fedora extras, by the people interested in
> using them, not by the central developers at red hat.
>
> Thoughts?
>
Well, maybe i as the package maintainer of ethereal here at Red Hat for
now a little over 3 years can give my $0.02 to this topic.
Your request is certainly not inappropriate at all, i've often wondered
why we (and especially i) still maintain this package and we keep
shipping it in every released product.
The thing is: It is a very very useful tool, even more so imho than
tcpdump. And especially for network debugging it is invaluable.
Now, if you look at our product line, it mainly targets the enterprise
customer, especially the server side there. Now, what kind of
applications except the standard server software does especially an
administrator need and use? Exactly, tools for setting up the system,
monitoring it and debugging it. And ethereal is exactly in that space.
If i would be a sysadmin i would put ethereal in my top 10 list of apps
that need to be in a product that i would consider buying (or recommend
my company to buy).
On the other hand, as you yourself already mentioned and that i had the
pleasure of being directly affected by it is the extreme security record
of ethereal. Recently i began to joke about doing an automatic monthly
ethereal errata, just in case. :-)
But seriously, this is really the downside of this tool: As it reads
every crappy byte from the network and parses it in tons of ways to
figure out what kind of package just went past it it is prone to such
problems. After every errata i always have the hope that we slowly get
to a point where there will be less and less security erratas for
ethereal, but my gut tells me there is no end in sight yet. Maybe
someone with a real strong background for doing security audit code
reviews should take some time and wade through the whole ethereal code
once and be done with it for a while (until new plugins come in with new
security problems).
So to boil it down, i am between a rock and a hard place here:
On the one hand, i see the real need and use and benefit of having
ethereal in our products.
On the other hand, it produces and awful lot of work over time. At the
moment if an ethereal security problem is found i need to do 4 erratas
(AS2.1, RHEL3, FC1 and FC2). In the future this number will mainly only
increase, especially as our enterprise products have such a long lifetime.
And the point is, for a package that needs to be in our enterprise
products, it is in the long run necessary that there is an internal Red
Hat package maintainer for it.
I was, am and will be maintaining ethereal and hope we can keep it in
the enterprise product. Should we ever decide to remove it from our main
products i'll gladly step down as package maintainer and hand it over to
someone in the community to take good care of the package. But until
then i don't think it's a good idea.
Those are my long $0.02 on the topic. ;-)
Read ya, Phil
--
Philipp Knirsch | Tel.: +49-711-96437-470
Development | Fax.: +49-711-96437-111
Red Hat GmbH | Email: Phil Knirsch <phil at redhat.de>
Hauptstaetterstr. 58 | Web: http://www.redhat.de/
D-70178 Stuttgart
Motd: You're only jealous cos the little penguins are talking to me.
More information about the fedora-devel-list
mailing list