[Pkg-nagios-devel] Bug#756479: Bug#756479: (no subject)
Alexander Wirt
formorer at debian.org
Fri Jan 22 10:17:39 UTC 2016
On Fri, 22 Jan 2016, Fabien COELHO wrote:
>
> Sigh. I've lost 1 hour on this "improvement".
>
> Please note that there is still a bug: the installed "/etc/nagios/nrpe.cfg"
> configuration file now contains a option which is ignored, but AFAICS there
> is no warning about that fact in the file nor in the log when starting nrpe,
> so people will keep trying to enable it and fail without understanding that
> it is in fact ignored.
>
> >nrpe has several, not fixable security problems with argument parsing.
>
> I do believe that.
>
> >You should not use it at all.
>
> You do *NOT* know about other people context and balance of risks.
>
> Debian is for grownups, you do not have to "decide" for us as if we were
> children. I know my risks and benefits, and I can make the decision whether
> to enable arguments or not, you do not have to take this decision for me.
> The option name says it all "dont_blame_nrpe": *MY* responsability, not
> yours.
>
> >A secure alternative would be to use check_by_ssh.
>
> I disagree that using check_by_ssh is obviously better, because it means
> allowing a shell access and a private key without password on the server, or
> endless efforts to maintain some ssh-agent somewhere which have their own
> risks... I'm not sure I can see how this is much better than nrpe with
> arguments and IP control, for me this is the same.
>
> The "just compile your own package" is a laughable fix: If I wanted to do
> that, I would not use Debian in the first place.
Stop complaining, start maintaining packages. It is a shame that all those
complainers weren't able to build a "fixed" package.
Alex
More information about the Pkg-nagios-devel
mailing list