So, would it be completely inappropriate to nominate ethereal for removal from fc3 due to its spotty history of security problems?
It seems like an excellent place to start thinking of packages that
should be maintained, in fedora extras, by the people interested in
using them, not by the central developers at red hat.
Thoughts?
Well, maybe i as the package maintainer of ethereal here at Red Hat for now a little over 3 years can give my $0.02 to this topic.
Your request is certainly not inappropriate at all, i've often wondered why we (and especially i) still maintain this package and we keep shipping it in every released product.
The thing is: It is a very very useful tool, even more so imho than tcpdump. And especially for network debugging it is invaluable.
Now, if you look at our product line, it mainly targets the enterprise customer, especially the server side there. Now, what kind of applications except the standard server software does especially an administrator need and use? Exactly, tools for setting up the system, monitoring it and debugging it. And ethereal is exactly in that space. If i would be a sysadmin i would put ethereal in my top 10 list of apps that need to be in a product that i would consider buying (or recommend my company to buy).
On the other hand, as you yourself already mentioned and that i had the pleasure of being directly affected by it is the extreme security record of ethereal. Recently i began to joke about doing an automatic monthly ethereal errata, just in case. :-)
But seriously, this is really the downside of this tool: As it reads every crappy byte from the network and parses it in tons of ways to figure out what kind of package just went past it it is prone to such problems. After every errata i always have the hope that we slowly get to a point where there will be less and less security erratas for ethereal, but my gut tells me there is no end in sight yet. Maybe someone with a real strong background for doing security audit code reviews should take some time and wade through the whole ethereal code once and be done with it for a while (until new plugins come in with new security problems).
So to boil it down, i am between a rock and a hard place here:
On the one hand, i see the real need and use and benefit of having ethereal in our products.
On the other hand, it produces and awful lot of work over time. At the moment if an ethereal security problem is found i need to do 4 erratas (AS2.1, RHEL3, FC1 and FC2). In the future this number will mainly only increase, especially as our enterprise products have such a long lifetime.
And the point is, for a package that needs to be in our enterprise products, it is in the long run necessary that there is an internal Red Hat package maintainer for it.
I was, am and will be maintaining ethereal and hope we can keep it in the enterprise product. Should we ever decide to remove it from our main products i'll gladly step down as package maintainer and hand it over to someone in the community to take good care of the package. But until then i don't think it's a good idea.
Those are my long $0.02 on the topic. ;-)
Read ya, Phil
-- Philipp Knirsch | Tel.: +49-711-96437-470 Development | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch <phil@xxxxxxxxx> Hauptstaetterstr. 58 | Web: http://www.redhat.de/ D-70178 Stuttgart Motd: You're only jealous cos the little penguins are talking to me.
