[Pkg-firebird-general] Bug#251458: firebird: remote vulnerability

[Remco Seesink]

> Can you elaborate on what the needs are for a firebird 1.0.3?  If the
> libraries can be provided by the firebird2 package, and the firebird
> 1.0 server has too many security holes to be included in a stable
> release, what's left in the 1.0 package that warrants keeping it
> around?  When I asked James to look at this one, he did have
> misgivings about the package rename, since there's no evident reason
> to keep two source packages around; so I'd like to know there's a good
> answer for this.
>
> In any case, at this point the quickest way to get these packages into
> a releasable state, now that firebird2 is available, is to remove the
> binary package from firebird (1.0) that contains the security
> problems, so that this bug can be closed.  Once that's done, you can
> sort out which package you want to provide the libraries in the long
> term; but trying to make such changes now is likely to prejudice the
> chances of any of these client packages making it into sarge.

Well, frankly I am not the biggest supporter of keeping them both so I
might not know the comprehensive list of reasons, but this is what I
know:
1. When migrating to 1.5 you should backup with the old server and
   restore with the new. This is needed when ODS (On Disk Structure)
   changes are in the database format.
2. Not all applications will work out of the box from 1.0.x moving to
   1.5.x

I suggest people on pkg-firebird-general knowing more than I do to step
forward. If it was up to me I would remove firebird 1.0.3 of the archive
and put them on http://firebird.debian.net. libfirebird2-* would only
need to provide libfirebird and all existing packages should be happy
without recompile. libgds.so.0 is symlinked to fbclient.so.0. This is
tested with php4-interbase and a not packaged binary (ibaccess)

If this would happen I am not so sure about the usefulness of the
firebird2 naming.

Cheers,
Remco.