Re: Snort: Mass Bug Closing
Quoting Drew Scott Daniels (umdanie8@cc.UManitoba.CA):
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=183719 and bug 189267
> say:
> DSA 297 closes these bugs. It may be worth noting that potato was not
> affected.
> What other security issues are there?
Let's first start by telling that my backported packages never made it
to security updates that every good stable user should have in their apt
sources. The DSA just pointed users who actually read it to my p.d.o.
site.
There was a total of 3 advisories against snort. Two of them related to
RPC, another to reconstructing fragmented packets IIRC(!).
> Imho it's ok to close non-rc bugs on stable (main Debian developers do).
> My rational is that we only fix RC bugs on stable.
It also has an 'archival' kind of function where people can see what's
wrong with a package if they experience weirdness. The thing is that the
stable snort package is nothing but weirdness, and I can't fix it, but I
do have this huge pile of bugs on my sheet that i'd like to rid of cause
it really interferes with bug handling the unstable packages.
> 95153 may not even be applicable to snort in stable but should be RC.
[ .. ]
> 158040 doesn't have your automated message. It means that snort is
> unusable. This is likely the problem that was mentioned to you about your
> backport. Merge 165555, 176223 with it (also no automated message)? Is
> this an upgrade problem?
The first automated message thing only went to submitters of critical,
grave, important etc. bugs. 158040 is indeed similar to what Joy
'discovered' in my backported packages: a slip of the fingers of the
maintainer who forgot to change the 'factory default' configuration file
to point to the debian rule-path. It's not an upgrade problem, as long
as I don't forget to set the path correctly, which most of the times I
am quite capable of remembering ;)
> 161659 talks about how a new config file doesn't get generated on even a
> fresh install. Perhaps this is the issue in 158040 et al?
No. The old stable package was incapable of filling in the debconf
generated 'snort.debian.conf' that is sourced to start snort later on.
This was one of the first problems I fixed when I took over the package.
It has nothing to do with 158040.
> 165107 suggests that the config file/rule file problem is in sid sarge and
> woody? Tagging this correctly may help the testing script...
This is (was) an upgrading problem. Because of the move of rule files
from /etc/snort to /etc/snort/rules/. And I forgot to move some files in
the postinst. Something like that. It has been fixed in later versions.
> 135603 is an upgrade problem... rules are incompatible. Is this a stable
> to stable upgrade?
It's not a real upgrade problem. It's that someone has a combination of
Debian releases in his aptsources, and both have versions of the snort
packages, and snort did not depend on a specific version of the rule
files, so apt thinks 'ah! snort-rules-default! already got that! no need
to upgrade!' or something like that.
> 170580 looks like a problem with the debconf script. A simple, obvious
> workaround is mentioned. This sounds like an upgrade problem.
What exacly do you mean with 'upgrade problem' ? The debconf scripts
(or templates, iirc) in that release of the package were broken for some
reason.
> 165135 is a policy violation, which versions are affected? Reported well
> after woody was released... A quick check of the source code could reveal
> the answer.
It is a policy violation. Leftover, I guess. Stable doesn't have
invoke-rc.d, I discovered that when I built and 'tested' the backported
packages.
> I don't know if you should close the upgrade bugs as I've heard the
> argument "users should only be using stable releases of packages" and I
> don't know about snort in potato (is it there? does it upgrade
> correctly?).
I haven't tried upgrading from 1.8.4 to any of my backported packages
myself. Upgrading should go quite pain free, the only annoyance would be
dpkg asking to overwrite each seperate rule file, as Joy also mentioned.
I don't know what I can do about that, other dan grossly violating the
policies to fix it.
> I'm getting a bit frustrated going through these myself. It seems that
> there's a lot of duplication, and (without testing) it looks like many of
> these bugs are still in sid.
Ehm. Some of them are, but not the ones I mentioned in my original post.
They are all fixed in the current backported release available at p.d.o.
> If you would like help going through these bugs, tagging them correctly,
> merging them, closing some, etc. I'd be happy to look even closer.
Snort has a spot on alioth since a while and is now being co-maintained
by Pascal Hakim (pasc@). The buildtrees for both the backported packages
aswell as the unstable packages are in cvs.
Any help is welcome. I just want to have a clean sheet and get a bit of
overview of real problems that exist with snort. Like the BUS errors on
sparc, for which workarounds came in?
Thanks for your effort already!
Sander.
--
| Alcoholvrij bier is als een beha aan de waslijn: het beste is eruit
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D
Reply to: