enhance checkgroups handling

Julien ÉLIE julien at trigofacile.com
Sun Aug 5 17:44:06 UTC 2007 

En réponse à Russ Allbery :
>> Perhaps the else {} is useless.  It is just to say that the checkgroups
>> was processed but we can also see that with the controlchan initial log.
>
> Yeah, I think we can drop that.

OK.  I will drop it.


>> I suggest that the actions be really taken when there are changes
>> (newgroup and rmgroup) for PGP-signed control articles (with verify-*).
>> And to also change the descriptions in the newsgroups file.
>
> Yup.

It is indeed useful for instance with de.*, when they add/remove de.alt.*
newsgroups since no PGP-signed newgroup/rmgroup messages are sent for
them and they are only in de.* checkgroups.
And also for changes in the descriptions (as it happens sometimes).


>> I do not know whether it should also be done for a mere doit (without
>> PGP).  Normally, it should not harm since people ask a "doit".  Any
>> thought about that?
>
> If they say doit, we should honor their request, I think.  It's not safe
> to do that with public hierarchies on the regular Usenet

I agree with you.  I tend to think it would be better to honour such "doit"
actions.  I asked this because of the default control.ctl behaviour:

For instance:

## AR (Argentina)
checkgroups:jorge_f at nodens.fisica.unlp.edu.ar:ar.*:doit
newgroup:jorge_f at nodens.fisica.unlp.edu.ar:ar.*:doit
rmgroup:jorge_f at nodens.fisica.unlp.edu.ar:ar.*:doit

Everyone can make a mess with checkgroups (2000 ar.* newsgroups created
in the row with a forged checkgroups... and then another checkgroups
which deletes them and afterwards another which...).

But well, this can currently also be done with newgroup/rmgroup articles
(but the mess is softer).
I do not know what to do with that.  It can lead to possible attacks
(and on ftp.isc.org too by the way).

Wouldn't it be time to only allow PGP-signed control articles to be honoured?
(inviting current hierarchies maintainers to sign their control articles)
Active hierarchies are mostly PGP-managed, though.

[perhaps we should discuss that in news.admin.hierarchies]

-- 
Julien ÉLIE

« Avec des si on mettrait Paris en bouteille. »

More information about the inn-workers mailing list