Removing insecure packages from etch [Was: Re: [Secure-testing-team] Etch security bug hunting season opened]

dann frazier dannf at dannf.org
Tue Aug 15 22:55:59 UTC 2006


On Tue, Aug 15, 2006 at 11:58:04PM +0200, Moritz Muehlenhoff wrote:
> Neil McGovern wrote:
> > > And please also have an eye for packages, which are too buggy to
> > > release security-wise. Crap like oftpd, elog or mantis should never
> > > have entered the archive at the first glance.
> > 
> > Is it worth subscribing to the wnpp list, and either commenting or
> > veto-ing packages?
> 
> I'm trying to follow debian-devel and giving advice where possible.
> Unfortunately most people just don't care; e.g. I strongly recommended
> to dump mantis completely. Still someone NMUed it for some non-DD who'll
> most definitely in half a year lose interest like the two previous
> maintainers and leave that junk in the archive with the Security Team
> needing to support it for two more years. A package with only 35 installed
> popcon users and _20_ vulnerabilities since January 2005. Or elog, a
> _horribly_ insecure electronic web logbook written in C, which had every
> basic security flaw you could ever imagine. The DSA fixed seven CVEs,
> at the time of DSA it had six voting popcon users...
> 
> It's packages like these which kill the fun out of preparing security
> updates for Debian.

What about filing bugs against ftp.debian.org requesting the removal
of these packages, and asking the release managers to block the etch
release on these bugs?

Or, perhaps file a grave bug against each package stating that it
cannot be security supported and ask the release team to drop it
from etch.

Probably best to just ask the release team (cc'd) for their preferred
approach.

-- 
dann frazier




More information about the Secure-testing-team mailing list