[Mageia-dev] (second attempt) suggesting sectool be dropped

Florian Hubold doktor5000 at arcor.de
Thu Nov 17 19:59:45 CET 2011

Am 17.11.2011 11:26, schrieb Michael scherer:
> On Tue, Nov 15, 2011 at 11:39:29AM +0100, Florian Hubold wrote:
>> Am 15.11.2011 07:29, schrieb Michael Scherer:
>>> Le lundi 14 novembre 2011 à 22:09 -0800, Robert M. Riches Jr. a écrit :
>>>> (New list subscriber...needed to fix registered email address to post...)
>>>> I was asked to submit this suggestion to the mailing list:
>>>> As a Mageia user, I believe msec was much better off with_OUT_
>>>> sectool.  In its present state, sectool is BADLY broken.  It
>>>> whines for pages about file permissions that are exactly as they
>>>> should be. 
>>> Can you be more specific ?
>> It think he means this: https://bugs.mageia.org/show_bug.cgi?id=2808
>> or https://bugs.mageia.org/show_bug.cgi?id=2255#c21 or
>> https://bugs.mageia.org/show_bug.cgi?id=2255#c22
>> I've also become supportive of this, sectool is basically duplicating
>> partly msec functionality, there was no adaption for Mageia, currently it's
>> checking on Mageia with the upstream Fedora configuration.
>> Honestly this should have been done when importing it, as
>> tmb already mentioned. msec should be patched to not require it.
>> When we can't even get our default security tool to work properly,
>> what's the point in adding a second one which needs even more
>> maintenance?
> As you say, the question is again "why was it uploaded in the first place".
> It seems some packages were uploaded, and there seemed to have not enough
> tests. While that's hard or impossible to avoid totally, that's not really 
> the way to achieve a good distribution :/
In most cases QA can test, but normally with some packages they can't tell:
Is this the expected result or is this totally off and has to be corrected?
Like with msec or sectool output, where we'd need security experts
which know the distro from head to toe and can make educated decisions
which output or warning is wanted and which bogus.

So in this case it's not QA to blame.
> I neither use msec or sectool, so I personnaly do not care that much.
> Afaik, sectool was created by a ex mandriva/mandrake guy ( vincent danen ), 
> because he was ( rightfully ) wanting to rewrite  msec, who is/was 
> a mess of bash + python + perl code ( and rather ugly code, afaik, last time
> I took a look ), but if msec is supported, and sectool is not, then I guess
> we could drop. However, I still think we should first attempt to collaborate
> and fix it. ( ie, always have the reflex of "try to fix and collaborate" ).
Normally i'd have the same stance on this. But given the facts that we
currently have
reports and users complaining about msec and superfluous warnings on the default
security level, which needs some serious love, and the fact that sectool runs with
upstream (fedora) configuration, and needs the whole configuration adapted
to Mageia. And that this adds on duplication because the two configurations
for msec and secgui need to be kept in sync, i'm in favor of dropping it for mga2.

Any objections or better proposals?

BTW: Vincent Danen wrote sectool for Fedora, and he's currently working in the
Red Hat Security Response Team.

More information about the Mageia-dev mailing list