bardo2
March 21st, 2015, 11:54 PM
Hello,
unfortunately my first question in here might touch difficult grounds, but since it is bothering me seriously, i may need help to get over it.
One week ago, Ubuntu asked me to update (System updates). While i was interested to see, WHAT would get updated to avoid possible breakage of my fragile, yet advanced system (Trusty, gnome, zfs,...), i found (among other packages) package "sudo" waiting to be updated. (from 1.8.9p5-1ubuntu1 to 1.8.9p5-1ubuntu1.1). I know the following information needs better understanding than mine, but - while interested to learn what the change affecting a crucial part of the system might involve - i was surprised to find a link to some failing website only:
CVE-2014-9680 turned up "Unable to load vulnerability."
While i was assuming, that the format change of the vulnerability database might be a possible cause, i was still interested to see, what motivated that change, and was surprised to find a U.S. "National Vulnerability Database" waiting to be allowed admin priviledge on my home PC. Surprised, because ubuntu (just as debian was) still is a community effort (lead by Canonical, a U.K. based company, at best) not obeying US national interests, right?
So i began to read up... - not code, because i read my last piece of code some 20+ years ago and felt unable to be sharp enough - but other material, like what other packages came along with that patch. And there have since been plenty of heimdal related patches (heimdal being a kerberos implementation), to enforce my fear, the sudo change *COULD* be the cornerstone to finish an architectural change, which could be summarized by: Any company controlling the kerberos server (or being registered as priviledged there) would be able to decide upon anything on my PC although they dont know a thing about my configuration/needs/limitations.
I was not willing to allow this to happen (basicaly degrading my hardware into a free lease to those companies and no longer owning it, more like paying for hardware + electricity for their interests).
What i did, was to use a combination of apt-mark and apt-pinning to prevent this update from happening. BUT: While i tried to further examine the effects of the change inside virtual machines, i saw it is around (with different version numbers) in all later ubuntu releases as well. Even worse: When i gave it a try to rip heimdal completely from a working Ubuntu installation, i saw a dependancy hell causing major parts of the system to vanish, rendering the whole installation to be unuseable.
At the end, i feel very much like being the powerless witness of evil changes, introduced by Canonical in the interest of US government, neglecting users interests. Where are my options?
Or do i miss some important point?
unfortunately my first question in here might touch difficult grounds, but since it is bothering me seriously, i may need help to get over it.
One week ago, Ubuntu asked me to update (System updates). While i was interested to see, WHAT would get updated to avoid possible breakage of my fragile, yet advanced system (Trusty, gnome, zfs,...), i found (among other packages) package "sudo" waiting to be updated. (from 1.8.9p5-1ubuntu1 to 1.8.9p5-1ubuntu1.1). I know the following information needs better understanding than mine, but - while interested to learn what the change affecting a crucial part of the system might involve - i was surprised to find a link to some failing website only:
CVE-2014-9680 turned up "Unable to load vulnerability."
While i was assuming, that the format change of the vulnerability database might be a possible cause, i was still interested to see, what motivated that change, and was surprised to find a U.S. "National Vulnerability Database" waiting to be allowed admin priviledge on my home PC. Surprised, because ubuntu (just as debian was) still is a community effort (lead by Canonical, a U.K. based company, at best) not obeying US national interests, right?
So i began to read up... - not code, because i read my last piece of code some 20+ years ago and felt unable to be sharp enough - but other material, like what other packages came along with that patch. And there have since been plenty of heimdal related patches (heimdal being a kerberos implementation), to enforce my fear, the sudo change *COULD* be the cornerstone to finish an architectural change, which could be summarized by: Any company controlling the kerberos server (or being registered as priviledged there) would be able to decide upon anything on my PC although they dont know a thing about my configuration/needs/limitations.
I was not willing to allow this to happen (basicaly degrading my hardware into a free lease to those companies and no longer owning it, more like paying for hardware + electricity for their interests).
What i did, was to use a combination of apt-mark and apt-pinning to prevent this update from happening. BUT: While i tried to further examine the effects of the change inside virtual machines, i saw it is around (with different version numbers) in all later ubuntu releases as well. Even worse: When i gave it a try to rip heimdal completely from a working Ubuntu installation, i saw a dependancy hell causing major parts of the system to vanish, rendering the whole installation to be unuseable.
At the end, i feel very much like being the powerless witness of evil changes, introduced by Canonical in the interest of US government, neglecting users interests. Where are my options?
Or do i miss some important point?