[Secure-testing-team] #469462: X access wide open on LTSP clients

[vagrant at freegeek.org]

On Tue, Mar 11, 2008 at 09:38:17PM +0100, Nico Golde wrote:
> * vagrant at freegeek.org <vagrant at freegeek.org> [2008-03-11 21:13]:
> > due to slow buildd's, it has been quite some time since ldm has migrated
> > from unstable to testing (mainly mips*, though others as well).
> > 
> > because of that, the version of ldm in testing is basically incompatible
> > with the version of ltsp in testing (scripts to run ldm from ltsp were
> > moved from the ltsp-client-core package into ldm itself), so simply
> > patching the version of ldm in testing for security only issues would
> > not really be particularly useful.
> 
> Sorry but I don't get it. Why is it a problem to upload a 
> patched version to testing that fixes this issue?

sorry for not be clearer on that... i guess, strictly speaking, the
version of ldm in testing could be patched to fix the security bug.

a separate issue is that the code that actually starts ldm from ltsp is
missing, as in newer versions of ltsp and ldm it was moved from the ltsp
package into the ldm package itself, and a newer version of ltsp
migrated to testing, but a newer version of ldm hasn't- so a security
fix is of questionable value here. that still sounds confusing... i
don't know how else to say it... sorry.

it was my impression that bug fixes that weren't strictly security
related weren't allowed except through the normal channels, i.e.
unstable.
 
> > so i'm wondering what the options are for getting a fixed ldm package
> > into testing.
> 
> The other option would be to ask Steve Langasek from the 
> release team to bump the priority of ldm in the NEEDS-BUILD 
> queues of these build daemons.

this seems like the best option, as it mostly seems like the buildd's
are so slow for priority: extra packages. thanks for the suggestion.

live well,
  vagrant