You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bigtop.apache.org by Roman Shaposhnik <rv...@apache.org> on 2016/03/13 05:30:19 UTC
Alleged security issues around redhat-lsb-core
Hi!
our good friend Eric Yang has been at it again: spreading
FUD about Bigtop: https://s.apache.org/KglM
Nothing new, aside from this quote:
====================================================
Bigtop contains /lib/lsb/init-functions which will import redhat-lsb-core
which imports exim. Exim is known for common root escalation
vulnerability. If you value your cluster security, I would recommend to
think twice before using BigTop.
====================================================
Could someone who's dealt with security for real (Olaf -- your
name came to mind immediately) please comment on that
JIRA thread?
Typically I wouldn't feed Eric 'the troll' Yang, but I think having
this type of allegation in a public record could be pretty bad for
us.
Thanks,
Roman.
Re: Alleged security issues around redhat-lsb-core
Posted by Peter Linnell <pl...@scribus.net>.
On Sat, 12 Mar 2016 22:51:35 -0800
Andrew Purtell <an...@gmail.com> wrote:
> I recall having one conversation with him when he worked at
> Hortonworks (maybe still does? - I don't know) about adding a RPM
> build target to HBase, which didn't make much sense for us in my
> present opinion, and I believe we politely declined at the time. I
> presumed he was involved with distribution packaging there.
>
>
> > On Mar 12, 2016, at 9:31 PM, Konstantin Boudnik <co...@apache.org>
> > wrote:
> >
> > Who's that fella anyway? I have a vague recollection that he was at
> > Y!, walking around and whining about everything? Or was it a
> > different Eric? I am getting old and want to forget all the
> > unpleasant episodes in my life.
> >
> > Anyway, his logic is flawed and lead us to the extreme where we
> > just have to stop using any software out there, because there might
> > be some vulnerability. While we need to strive to make our product
> > better and safer for users, there are also realities and things we
> > do not control.
> >
> > There's quite positive part in this whole discussion: I really like
> > that the other people in the ecosystem look at us as the de-facto
> > focal point of the stack integration. I think the mission is
> > accomplished! But let's not rest here just yet ;)
> >
> > Cos
> >
> >> On Sat, Mar 12, 2016 at 08:30PM, Roman Shaposhnik wrote:
> >> Hi!
> >>
> >> our good friend Eric Yang has been at it again: spreading
> >> FUD about Bigtop: https://s.apache.org/KglM
> >>
> >> Nothing new, aside from this quote:
> >> ====================================================
> >> Bigtop contains /lib/lsb/init-functions which will import
> >> redhat-lsb-core which imports exim. Exim is known for common root
> >> escalation vulnerability. If you value your cluster security, I
> >> would recommend to think twice before using BigTop.
> >> ====================================================
> >>
> >> Could someone who's dealt with security for real (Olaf -- your
> >> name came to mind immediately) please comment on that
> >> JIRA thread?
> >>
> >> Typically I wouldn't feed Eric 'the troll' Yang, but I think having
> >> this type of allegation in a public record could be pretty bad for
> >> us.
> >>
> >> Thanks,
> >> Roman.
Hi all,
As I am catching up on the backlog of mail, I found this:
http://chukwa.apache.org/team-list.html Seems Mr Yang is at IBM.
Cheers,
Peter
Re: Alleged security issues around redhat-lsb-core
Posted by Andrew Purtell <an...@gmail.com>.
I recall having one conversation with him when he worked at Hortonworks (maybe still does? - I don't know) about adding a RPM build target to HBase, which didn't make much sense for us in my present opinion, and I believe we politely declined at the time. I presumed he was involved with distribution packaging there.
> On Mar 12, 2016, at 9:31 PM, Konstantin Boudnik <co...@apache.org> wrote:
>
> Who's that fella anyway? I have a vague recollection that he was at Y!,
> walking around and whining about everything? Or was it a different Eric? I am
> getting old and want to forget all the unpleasant episodes in my life.
>
> Anyway, his logic is flawed and lead us to the extreme where we just have to
> stop using any software out there, because there might be some vulnerability.
> While we need to strive to make our product better and safer for users, there
> are also realities and things we do not control.
>
> There's quite positive part in this whole discussion: I really like that the
> other people in the ecosystem look at us as the de-facto focal point of the
> stack integration. I think the mission is accomplished! But let's not rest
> here just yet ;)
>
> Cos
>
>> On Sat, Mar 12, 2016 at 08:30PM, Roman Shaposhnik wrote:
>> Hi!
>>
>> our good friend Eric Yang has been at it again: spreading
>> FUD about Bigtop: https://s.apache.org/KglM
>>
>> Nothing new, aside from this quote:
>> ====================================================
>> Bigtop contains /lib/lsb/init-functions which will import redhat-lsb-core
>> which imports exim. Exim is known for common root escalation
>> vulnerability. If you value your cluster security, I would recommend to
>> think twice before using BigTop.
>> ====================================================
>>
>> Could someone who's dealt with security for real (Olaf -- your
>> name came to mind immediately) please comment on that
>> JIRA thread?
>>
>> Typically I wouldn't feed Eric 'the troll' Yang, but I think having
>> this type of allegation in a public record could be pretty bad for
>> us.
>>
>> Thanks,
>> Roman.
Re: Alleged security issues around redhat-lsb-core
Posted by Konstantin Boudnik <co...@apache.org>.
Who's that fella anyway? I have a vague recollection that he was at Y!,
walking around and whining about everything? Or was it a different Eric? I am
getting old and want to forget all the unpleasant episodes in my life.
Anyway, his logic is flawed and lead us to the extreme where we just have to
stop using any software out there, because there might be some vulnerability.
While we need to strive to make our product better and safer for users, there
are also realities and things we do not control.
There's quite positive part in this whole discussion: I really like that the
other people in the ecosystem look at us as the de-facto focal point of the
stack integration. I think the mission is accomplished! But let's not rest
here just yet ;)
Cos
On Sat, Mar 12, 2016 at 08:30PM, Roman Shaposhnik wrote:
> Hi!
>
> our good friend Eric Yang has been at it again: spreading
> FUD about Bigtop: https://s.apache.org/KglM
>
> Nothing new, aside from this quote:
> ====================================================
> Bigtop contains /lib/lsb/init-functions which will import redhat-lsb-core
> which imports exim. Exim is known for common root escalation
> vulnerability. If you value your cluster security, I would recommend to
> think twice before using BigTop.
> ====================================================
>
> Could someone who's dealt with security for real (Olaf -- your
> name came to mind immediately) please comment on that
> JIRA thread?
>
> Typically I wouldn't feed Eric 'the troll' Yang, but I think having
> this type of allegation in a public record could be pretty bad for
> us.
>
> Thanks,
> Roman.
Re: Alleged security issues around redhat-lsb-core
Posted by Konstantin Boudnik <co...@apache.org>.
On Sun, Mar 13, 2016 at 06:52PM, Olaf Flebbe wrote:
> Hi,
>
> This is hilarious, exim is not installed by bigtop. I advised him not to use
> java at all, since it has a much larger attack surface .
Check and mate! Well done, and thanks for weighing in!
I guess we can put it at rest, as his complains will go on forever, as we can
already see in that JIRA. Perhaps, he should install some gvmt approved
version of Windows and be happy with that. RIP
Cos
> I will not feed him with more.
>
> Olaf
>
>
> > Am 13.03.2016 um 05:30 schrieb Roman Shaposhnik <rv...@apache.org>:
> >
> > Hi!
> >
> > our good friend Eric Yang has been at it again: spreading
> > FUD about Bigtop: https://s.apache.org/KglM
> >
> > Nothing new, aside from this quote:
> > ====================================================
> > Bigtop contains /lib/lsb/init-functions which will import redhat-lsb-core
> > which imports exim. Exim is known for common root escalation
> > vulnerability. If you value your cluster security, I would recommend to
> > think twice before using BigTop.
> > ====================================================
> >
> > Could someone who's dealt with security for real (Olaf -- your
> > name came to mind immediately) please comment on that
> > JIRA thread?
> >
> > Typically I wouldn't feed Eric 'the troll' Yang, but I think having
> > this type of allegation in a public record could be pretty bad for
> > us.
> >
> > Thanks,
> > Roman.
>
Re: Alleged security issues around redhat-lsb-core
Posted by Olaf Flebbe <of...@oflebbe.de>.
Hi,
This is hilarious, exim is not installed by bigtop. I advised him not to use java at all, since it has a much larger attack surface .
I will not feed him with more.
Olaf
> Am 13.03.2016 um 05:30 schrieb Roman Shaposhnik <rv...@apache.org>:
>
> Hi!
>
> our good friend Eric Yang has been at it again: spreading
> FUD about Bigtop: https://s.apache.org/KglM
>
> Nothing new, aside from this quote:
> ====================================================
> Bigtop contains /lib/lsb/init-functions which will import redhat-lsb-core
> which imports exim. Exim is known for common root escalation
> vulnerability. If you value your cluster security, I would recommend to
> think twice before using BigTop.
> ====================================================
>
> Could someone who's dealt with security for real (Olaf -- your
> name came to mind immediately) please comment on that
> JIRA thread?
>
> Typically I wouldn't feed Eric 'the troll' Yang, but I think having
> this type of allegation in a public record could be pretty bad for
> us.
>
> Thanks,
> Roman.