Re: Bug#557948: Severity of 557948 and plans for this bug

To: 557948@bugs.debian.org
Subject: Re: Bug#557948: Severity of 557948 and plans for this bug
From: Don Armstrong <don@debian.org>
Date: Wed, 31 Mar 2010 14:01:36 -0700
Message-id: <[🔎] 20100331210136.GU21525@teltox.donarmstrong.com>
Mail-followup-to: 557948@bugs.debian.org
In-reply-to: <[🔎] 20100322191505.GB21525@teltox.donarmstrong.com>
References: <[🔎] 20100301222137.GU28743@volo.donarmstrong.com> <[🔎] 201003012351.24132.Sune@vuorela.dk> <[🔎] 20100301234908.GV28743@volo.donarmstrong.com> <[🔎] 20100303191406.GA3837@master.debian.org> <[🔎] 20100322191505.GB21525@teltox.donarmstrong.com>

On Mon, 22 Mar 2010, Don Armstrong wrote:
> On Thu, 04 Mar 2010, Aníbal Monsalve Salazar wrote:
> > On Mon, Mar 01, 2010 at 03:49:08PM -0800, Don Armstrong wrote:
> > >Do you expect the ctte to override the severity or demand a specific
> > >fix? The former can be done, but the latter will (almost certainly)
> > >require a patch before that happens.
> > 
> > I plan to fix it later in the evening.
> 
> Anibal: what's the current status of this? Can we assume that the
> underlying issue will be resolved shortly?

I haven't heard from Anibal, and I don't see any public progress
regarding this; I think we may need to actually address the severity
of this bug. [At any point, if it gets fixed, it'll obviate our
discussion.]

ssmtp requires access to configuration files which may contain
authentication information necessary to connect to remote mail
servers.

As such, these files should not be readable by normal users, but
ideally only ssmtp (or possibly users who are authorized to send
outgoing mail.)

Currently, these files are root:mail 640, and the configuration
requests that users be added to the mail group to be able to send
mail. Unfortunatly, this ends up in the users in this group being able
to read and write to all mail spools by default.

We have the following options if we want to just decide the severity:

1. The package must not be released with this bug; it should have a
severity of at least serious.

2. The package can be released with this bug; it does not need a
severity of serious or greater. The maintainer can elevate the
severity.

3. Further discussion

I'd like to at least resolve this part of the bug by calling for a
vote in the next 48 hours. I think that we can actually discuss a fix
for this bug later if the maintainer (or someone who uses ssmtp who
wants to submit a patch) has any questions after that fact.

Don Armstrong

-- 
Clothes make the man. Naked people have little or no influence on
society.
 -- Mark Twain 

http://www.donarmstrong.com              http://rzlab.ucr.edu

Reply to:

References:
- Bug#557948: Severity of 557948 and plans for this bug
  - From: Don Armstrong <don@debian.org>
- Bug#557948: Severity of 557948 and plans for this bug
  - From: Sune Vuorela <Sune@vuorela.dk>
- Bug#557948: Severity of 557948 and plans for this bug
  - From: Don Armstrong <don@debian.org>
- Bug#557948: Severity of 557948 and plans for this bug
  - From: Aníbal Monsalve Salazar <anibal@debian.org>
- Bug#557948: Severity of 557948 and plans for this bug
  - From: Don Armstrong <don@debian.org>

Prev by Date: Bug#573745: Please decide on Python interpreter packages maintainership
Previous by thread: Bug#557948: Severity of 557948 and plans for this bug
Next by thread: Bug#573745: Please decide on Python interpreter packages maintainership
Index(es):
- Date
- Thread