Re: Proposal for removal of mICQ package

To: debian-devel@lists.debian.org
Subject: Re: Proposal for removal of mICQ package
From: Craig Dickson <crdic@pacbell.net>
Date: Thu, 13 Feb 2003 23:27:04 -0800
Message-id: <[🔎] 20030214072704.GA19933@crdic.ath.cx>
In-reply-to: <[🔎] 87r8abtl24.fsf@glaurung.green-gryphon.com>
References: <[🔎] 20030213151420.GA1168@minerva.local.lan> <[🔎] 20030213165225.GB7379@azure.humbug.org.au> <[🔎] 87isvnvc59.fsf@glaurung.green-gryphon.com> <[🔎] 20030214061134.GB20555@gwyn.tux.org> <[🔎] 87r8abtl24.fsf@glaurung.green-gryphon.com>

Manoj Srivastava wrote:

> 	But is the person in question tested it, it would have
>  worked -- the 'xploit was clever enough to test for the presence 

[...]

> 	Unstable is an integral part of testing an QA process for
>  debian -- the precise user base that the micq trojan targeted.

This was not an "exploit", nor was it a "trojan". The program simply
refused to function normally if compiled in the particular way that the
Debian maintainer typically did it (without any defined value for
EXTRAVERSION, against upstream's clearly-expressed wishes), when run by
anyone other than the Debian maintainer. It was a childishly petulant
thing to do, but it makes no sense to call it an "exploit", as if it
were somehow compromising the security of the end user's machine (it
wasn't), nor to call it a "trojan", as if it were sneakily doing
something behind the end user's back (it wasn't; the refusal to run is
quite obvious when it happens, and the program is quite up-front about
what it is doing and why). Even to call it an "exploit" of the Debian
development process is silly, since it's surely quite normal for new
versions of programs to have behaviors (intentional or otherwise) that
the package maintainer doesn't know about. Had upstream simply left out
the specific reference to the Debian maintainer, and perhaps made the
package refuse to compile (or compile to an obviously non-working
binary) without a reasonable value for EXTRAVERSION, then this would all
be a complete non-issue. His mistakes were simply to make his patch
Debian-specific, to obfuscate it, and to make it fail only when
connecting to a server and only if the user was not the Debian
maintainer. That was obnoxious, but it falls far short of being
destructive or even particularly malicious. It really comes off as
little more than a practical joke played by someone who was already
quite justifiably annoyed with the behavior of Debian's micq maintainer.
It was childish and somewhat irresponsible, but no more so than
describing it as a "trojan".

Craig

Attachment: pgp2ejCOyIG9f.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Proposal for removal of mICQ package
  - From: Eduard Bloch <edi@gmx.de>
- Re: Proposal for removal of mICQ package
  - From: Jan Niehusmann <jan@debian.org>
- Re: Proposal for removal of mICQ package
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Proposal for removal of mICQ package
  - From: Martin Loschwitz <madkiss@madkiss.org>
- Re: Proposal for removal of mICQ package
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: Proposal for removal of mICQ package
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: Proposal for removal of mICQ package
  - From: Timothy Ball <timball@tux.org>
- Re: Proposal for removal of mICQ package
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Disowning maintainers [was: Proposal for removal of mICQ package]
Next by Date: Re: [internal-projects] [Debian-multimedia] Start an official internal project!
Previous by thread: Re: Proposal for removal of mICQ package
Next by thread: Re: Proposal for removal of mICQ package
Index(es):
- Date
- Thread