Hi,
On 10/13/19 11:16 PM, Robie Basak wrote:
> On Sun, Oct 13, 2019 at 11:02:45PM +0200, Birger Schacht wrote:
>> The problem is that the package will be removed from unstable in a
>> couple of days because of this bug report. 3 month is sometimes not that
>> much time to fix a bug or even comment
On Sun, Oct 13, 2019 at 11:02:45PM +0200, Birger Schacht wrote:
> The problem is that the package will be removed from unstable in a
> couple of days because of this bug report. 3 month is sometimes not that
> much time to fix a bug or even comment on a bug report. And the release
> of bullseye is
Hi,
On 10/13/19 10:02 PM, Robie Basak wrote:
> On Sun, Oct 13, 2019 at 05:23:40PM +0200, Birger Schacht wrote:
>> Robie, could you please point out the part of the Debian policy that
>> this package is violating?
>
> I cannot. I believe that this issue is such a clear violation of
> Debian's phil
Hello
Similar issues were discussed in:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726998
You could also find that Lintian folks uses several levels of error
tags to describe this problem, for instance:
*
https://lintian.debian.org/tags/privacy-breach-statistics-website.html.
It is cons
On Sun, Oct 13, 2019 at 05:23:40PM +0200, Birger Schacht wrote:
> Robie, could you please point out the part of the Debian policy that
> this package is violating?
I cannot. I believe that this issue is such a clear violation of
Debian's philosophy that it has never been necessary to document it
f
Hi,
On 8/18/19 3:21 PM, Robie Basak wrote:
> Package: lynis
> Version: 2.6.2-1
> Severity: serious
https://www.debian.org/Bugs/Developer#severities says:
> serious is a severe violation of Debian policy (roughly, it violates a
> "must" or "required" directive)"
Robie, could you please point out
Hi Robie,
I totally agree that if this is Debian policy, that the functionality
should be disabled. I'm not saying that Lynis should be an exception and
don't think Lynis is special in any way :)
Just to clarify: the reasoning that I gave for automatic update checking
was meant generic, as Lynis
On Mon, Sep 30, 2019 at 12:39:33PM +0200, Michael Boelen wrote:
> Although I can understand the sentiment of disabling "phoning home"
> functionality, it is there with a good reason. It helps people to learn
> when their software is (very) outdated, especially when it comes to doing a
> security au
Hello Michael,
I am aware of the configuration option you mention but i decided to
create a patch changing the CheckUpdates() function because i don't know
if it is used in another part of the software.
I also can understand your desire to know where and when an Lynis audit
is performed but it sh
Hi,
Original author of Lynis here.
If you don't want to use the update check, then instead of changing the
code, just enable the relevant section in the default profile (default.prf):
# Skip Lynis upgrade availability test (default: no)
#skip-upgrade-test=yes
Remove the # of the second line to
uses the TXT field of the DNS record for this. This patch cancels this function. You can check if you have latest version by running "dig -t TXT lynis-latest-version.cisofy.com" but you would be "phoning home" yourself :-).
Author: Marcos Fouces
Debian-Bug: https://bug
Package: lynis
Version: 2.6.2-1
Severity: serious
Justification: privacy leak
By default, this program appears to make a DNS query to
lynis-latest-version.cisofy.com. thus leaking information about the
system and the fact that the user is running an audit. This is
particularly egregious in the cas
12 matches
Mail list logo
