Re: Please remove knowledgetree and slash for security issues
On Sun, Aug 27, 2006 at 09:48:42PM +0200, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> >> Steve Langasek wrote:
> >> > In the meantime, I'm downgrading 160579 because I don't see anything in=
> > that
> >> > report that would justify claiming the package is unreleasable.
> >> It's also vulnerable to CVE-2004-2656 (no bug seems to exist) and
> >> CVE-2001-1535 (328927).
> > FWIW, of all of these the one that looks most serious to me is the one that
> > doesn't have a bug filed for it yet. :)
> CVE-2004-2656 should get fixed for Etch, the rest isn't terribly serious.
Could you file a bug report on this one then? That would give us grounds
for removal if the maintainer doesn't react.
> > Can you explain which of these bugs
> > you think justify removing the package from a release, and why?
> It has a marginal user base and seems unmaintained, I'm not sure if it's
> worth carrying around; but I don't have objections security-wise.
Right -- as noted before, I think the rest of those are QA objections, not
reasons for the release team to remove the package directly.
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.