Removing insecure packages from etch [Was: Re: [Secure-testing-team] Etch security bug hunting season opened]

Steve Langasek vorlon at debian.org
Tue Aug 15 23:21:57 UTC 2006 

On Tue, Aug 15, 2006 at 04:55:59PM -0600, dann frazier wrote:
> On Tue, Aug 15, 2006 at 11:58:04PM +0200, Moritz Muehlenhoff wrote:
> > Neil McGovern wrote:
> > > > And please also have an eye for packages, which are too buggy to
> > > > release security-wise. Crap like oftpd, elog or mantis should never
> > > > have entered the archive at the first glance.

> > > Is it worth subscribing to the wnpp list, and either commenting or
> > > veto-ing packages?

> > I'm trying to follow debian-devel and giving advice where possible.
> > Unfortunately most people just don't care; e.g. I strongly recommended
> > to dump mantis completely. Still someone NMUed it for some non-DD who'll
> > most definitely in half a year lose interest like the two previous
> > maintainers and leave that junk in the archive with the Security Team
> > needing to support it for two more years. A package with only 35 installed
> > popcon users and _20_ vulnerabilities since January 2005. Or elog, a
> > _horribly_ insecure electronic web logbook written in C, which had every
> > basic security flaw you could ever imagine. The DSA fixed seven CVEs,
> > at the time of DSA it had six voting popcon users...

> > It's packages like these which kill the fun out of preparing security
> > updates for Debian.

> What about filing bugs against ftp.debian.org requesting the removal
> of these packages, and asking the release managers to block the etch
> release on these bugs?

The bugs we block on are those marked in the BTS as RC severity with no
"etch-ignore" tag.  So if you want to ask us to block on them, set the
severity correctly. :)

> Or, perhaps file a grave bug against each package stating that it
> cannot be security supported and ask the release team to drop it
> from etch.

Should be serious rather than grave, but yes -- the bugs should be filed
against the unreleasable packages, independent of whether you request
removal from the archive.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/

More information about the Secure-testing-team mailing list