Re: Bug#504758: gforge-plugins-extra ships security issues-prone code copies

[Roland Mas <lolando@debian.org>]

tag 504758 + help
thanks

Raphael Geissert, 2008-11-06 15:42:52 -0600 :

> Package: gforge-plugins-extra
> Severity: serious
> Version: 4.7~rc2-5
> Tags: security
>
> Hi,
>
> By taking a look at the list of files shipped by
> gforge-plugins-extra I can easily see several scripts which are
> already in the Debian archive. I'm using 'serious' as the severity
> given the fact that in many of the already packaged scripts security
> issues have been found in the past.

I'm sort of aware of that, but I'm undecided as to how to react.  This
package contains plugins that are not exactly supported (by me at
least), and these plugins are not installed or made operational when
the package is installed.  They require manual intervention to set up,
and are only shipped as part of a deb as a convenience.

The way I see it, there are three ways out:

- prepare a new upload that doesn't contain this binary package, and
  leave users with the task of getting the code from the source
  package and installing it by hand;

- ignore this bug for lenny, since one could argue that the code isn't
  actually made operational by the mere installation of the package;

- actually patch the code to use system-provided packages, and update
  dependencies accordingly.  This has already been done for some
  libraries (Snoopy and FCKeditor), and it's not a huge task, but I
  probably won't have time to tackle it before the lenny release
  (real-life time constraints abound).

I'm therefore soliciting advice and/or help on that problem.

Roland.
-- 
Roland Mas

A lesson for you all: never fall in love during a total eclipse.
  -- Senex, in A Funny Thing Happened on the Way to the Forum