rds slags off people who are running hula without checking it :
Also, for anyone wondering how easy it would be for some malcious idiot to infect a Linux box, ask how many people are now running Hula. Now, how many audited that code first? Now, how many had to run it as root to even get it to run? Now, how many people put it onto their box merely because it was released. Now, how many people, before installing it, knew what the fuck it even does? Remember: Linux is airtight, nothin’ll get in on one of those boxes, you don’t need to be careful, because you’re totally covered. Running a untested, unaudited network server as root? Spy/mal/adware? Bitch, please, it’s cool. We’ve got some no-exec patches compiled in and everything.
Probably right for dim people. Me, on the other hand, I ran it on my laptop, and it had no network connection while I was doing it. And then I stopped it before opening the network again. Perhaps it installed some spyware. I think it’s unlikely, frankly, because I trust Novell and I trust Nat Friedman, but perhaps Novell are interested in really really annoying their core community and installed some spyware on my machine. Then yep, I’ve been owned. On the other hand, as I have said before , bad programs don’t need to be root. How much safer would I be if I was running the software as my user account? It could still infect my apps; still hide itself all over the place. .gnome/AutoStart, an extension in Firefox, my .bashrc, my .bash_profile, my .xsession, my .xinitrc. In my Gnome configuration as an applet. Being root would allow it to install a few more places, but, like, whatever, man. Root stuff is less bad if I lose it than all the stuff that I can write as a user, because I can reconstitute all root-owned things with a quick blast from the Debian archives. That is, assuming that Debian haven’t decided to add spyware to my machine, just like Novell perhaps have. How are GPG keys going to affect that? How can we be snide about the problems of running Hula, from Novell, and not be equally snide about the problems of running Debian software?
While rds has a good point, he’s not taking into account the fact that, as you said, the software is coming from Nat, and probably those who are already running Hula are trusting him and testing his new software. (my case).
Also, like you, i tested it on my ubuntu laptop, didn’t even get it to work (missing the root tip).
Anyhow, he certainly has a point, too bad it doesn’t apply in this case.
Posted by Josue Salazar on February 17th, 2005.
/me is intending to install it on a completely seperate, clean box, behind a firewall. While I understand this may not resolve some of the potential security issues, it should hold off some of the ‘damage’ ;)
Posted by mrben on February 18th, 2005.