[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#29528] Add blacknurse
|
From: |
ng0 |
|
Subject: |
[bug#29528] Add blacknurse |
|
Date: |
Sun, 3 Dec 2017 23:49:10 +0000 |
Ricardo Wurmus transcribed 2.1K bytes:
>
> Hi ng0,
>
> > +(define-public blacknurse
> > + (let* ((commit "d2a2b23544295844714ebf8d2d78af37fe5770c9")
> > + (revision "1"))
> > + (package
> > + (name "blacknurse")
> > + (version (string-append "0.0.0-" revision "." (string-take commit
> > 7)))
> > + (source
> > + (origin
> > + (method git-fetch)
> > + (uri (git-reference
> > + (url "https://github.com/jedisct1/blacknurse";)
> > + (commit commit)))
> > + (file-name (string-append name "-" version))
>
> This should be “(file-name (string-append name "-" version "-checkout"))”.
>
> > + (sha256
> > + (base32
> > + "1w7zmcrnrs4p4naj3i6h1wcmd56dgrfd7myx0ljhw162sg0134nz"))))
> > + (build-system gnu-build-system)
> > + (arguments
> > + `(#:make-flags (list "CC=gcc")
> > + #:tests? #f ; No tests
> > + #:phases
> > + (modify-phases %standard-phases
> > + (delete 'configure) ; No configure script
> > + (replace 'install
> > + (lambda* (#:key outputs #:allow-other-keys)
> > + (let* ((out (assoc-ref outputs "out"))
> > + (bin (string-append out "/bin")))
> > + (install-file "blacknurse" bin)))))))
>
> This should end on #t.
>
> > + (home-page "https://github.com/jedisct1/blacknurse";)
> > + (synopsis "Proof of Concept for the Blacknurse attack")
> > + (description
> > + "Simple Proof of Concept for the Blacknurse attack.
> > +Blacknurse is a low bandwidth ICMP attack that is capable of doing denial
> > +of service to well known firewalls.")
>
> The first fragment is not a full sentence.
>
> Looking at this package I wonder why it should be part of Guix as it is
> merely malware. I don’t see any reason why this should be installable
> through Guix. We are not in the habit of providing packages for
> exploits. Putting it in “networking” makes it seem like this would be a
> useful networking application, but it really is not. It just
> demonstrates a bug in networked devices.
>
> @Ludo: what do you think?
>
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net
To some extent I agree, I'm just probing where we draw the
line in pen-testing software.
I have a repository for those, and I'll add a comment to
get an idea for what we decide on. blacknurse for me
was a grey area in a new class of pen-testing software
I haven't sent before.
Software written with malicious intentions or such that
can be interpreted / used with those has a broad range,
some of it will be okay for us in Guix, some of it won't
be okay.
I draw the line at explicitly malicious. Blacknurse was
kinda okay for me, but I think your comment is enough
to let me put it in the case-by-case 'malicious' category.
Runs an PoC exploit targeted at launching an attack against
unpatched firewalls -> bad.
Eventually this should help getting a list of example
software we will not accept in Guix, if someone else
tries.
--
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys
WWW: https://n0.is
signature.asc
Description: PGP signature