pombredasbeattie: wrt. to the ubuntu security data license you wrote: "I'll poke people internally about getting more explicit statements in place." --> Thanks!00:05
pombredasbeattie: the vast majority of vulnerability feeds are using some custom permissive license (like the NVD and Mitre) or CC-BY (permissive) or CC-BY-SA (weak copyleft) licenses. The aggregated combined data in vulnerablecode is therefore CC-BY-SA which is the highest common denominator. It would be nice to have one of these licenses. I am somewhat puzzled that in many cases we seem to be the first ones to inquire about the 00:13
pombredalicense of these feeds :)00:13
pombredaMany are proprietary such as https://github.com/pyupio/safety-db or Snyk, OSSindex and more... we are trying to offer an open alternative to these. 00:15
JanCI wonder if for "factual data" like that there aren't more appropriate licenses that allow use, aggregation, etc. but don't allow changes01:59
tomreynis multiverse supposed to be enabled by defualt on new desktop and server installs?02:40
tomreyn20.04 + 22.0402:40
sdezieltomreyn: AFAIK, it is, yes02:46
tomreyn"bm" in #ubuntu points to https://bugs.launchpad.net/ubuntu/+source/unrar-nonfree/+bug/1975722 + https://ubuntu.com/security/CVE-2022-30333 - i pointed them to https://wiki.ubuntu.com/SecurityTeam/FAQ and the (non) supported repositories statement. but with multiverse enabled by default, users not aware of what received (guaranteed) security support have a good chance of running into surprises02:46
-ubottu:#ubuntu-security- Launchpad bug 1975722 in unrar-nonfree (Ubuntu) "unrar has an open security bug" [Undecided, Confirmed]02:46
-ubottu:#ubuntu-security- RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30333>02:46
sdezieltomreyn: same goes with universe though02:55
sdezielhmm, Ubuntu Pro changes things a bit for universe02:55
tomreynnot for free riders, although expectations, maybe02:57
tomreynor assumptions02:58
tomreynMy POV is that making software which receives no (or no timely) security updates available by default on servers and desktop makes it too easy for users to make critical mistakes. i'd expect having to tick a box or edit a configuration file (such as uncommenting the universe + multiverse line in sources.list, where it should be (and i think is) stated that those recieve no security support) to indicate that the user is willing to accept 03:07
tomreynthe risk.03:07
tomreyni assume that the current situation is the outcome of a change that was discussed at some time (probably years ago), though, and was a well evaluated choice.03:09
tomreynnowadays you could possibly argue that snaps are also always easily available and not necessarily getting security support, nor even hint on their support status.03:10
tomreyni have a feeling (but definitely not proof) that multiverse was not enabled by default on earlier releases03:12
tomreynlooks like my memory is failing me. apparently, while there were some hickups during 18.04 / subiquity / "alternative installer" (d-i) times, universe  + multiverse have been enabled for a long time on servers, too https://askubuntu.com/questions/1081243/why-do-i-need-to-enable-universe-repo-in-18-04-isnt-it-default-enabled03:20
tomreynstill, the point about "unexpected/non-accepted risk" remains from my POV. sorry for the long discussion.03:23

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!