Re: Discussing Lingerd's security history
* Martin Schulze (joey@infodrom.org) disait :
> Currently I don't know of a problem, but I'll grep through my archive
> as well. Nothing found.
Great.
> This one needs to be distributed via a patch in the Apache package?
> It doesn't produce yet another module that can be maintained
> separately?
Indeed, this is a patch to Apache itself and it has to be a new flavor,
according to Fabio Massimo Di Nitto (fabionne@debian.org) advices.
I made the package following Fabio's advices and he is ok with the way
the flavour is made.
> If this patch doesn't create any obvious (security) problems and the
> Apache maintainer would be fine with including , I don't see a
> compelling reason for not including it.
The patch is small and changes only the way Apache manages connections
(lingers), there's also a binary provided with the apache-lingerd
package which is the "lingerd" daemon which takes care of closing
connections.
The Apache's patch is needed to make it aware of that daemon, in fact.
> > Your comments are appreciated, that would let me know if I can ask for
> > an upload to the archive without putting a "trojan" inside Debian ;)
>
> Well, you should check the source code on your own in order not to
> install a trojan like what we had with the micq package a while ago...
I personnaly don't see a good reason why that patch would brings
security holes, I asked the Security team in order to see if there were
security issues already known about that topic.
If you don't think so, according to my experience with the package, I
think that it should be ok.
Thanks a lot for your comments.
Kind Regards,
Alexis.
--
Alexis Sukrieh <sukria@sukria.net>
http://www.sukria.net
« Quidquid latine dictum sit, altum sonatur. »
Whatever is said in Latin sounds profound.
Reply to: