> Well, this is a public mailing list. :)
I realize now that many emails, about 20% in our case, that listed as package maintainers, are public mailing lists. That's unfortunate, but hopefully most reported bugs will not be security critical.
> I have a fix which I plan to push tonight along with a couple of other patches.
That's great! I'm impressed by how quickly you were able to produce a patch.
> One thing I noticed, however, is that, because some of the programs are
> only expected to be run as root, they return immediately if getuid()
> returns non-zero (e.g. dpkg-reconfigure from cdebconf) and do not
> actually get tested beyond this point. Alexandre, I don't know if this
> issue showed up already in your experiment.
You raised a good point. This is happening quite a bit, especially when analyzing /sbin. We are not able to analyze those programs yet, as we run as a normal user. This is on our todo list though.
Thanks,
The mayhem Team