Re: Xt xterm security hole
Ian Jackson <ian@chiark.greenend.org.uk> writes:
> Premise: we should not ship 1.2 with a security bug that we know can
> give away root access.
>
> Believed-known fact: XFree86 as currently in frozen has such a bug.
>
> Conclusion: we must do something to the XFree86 build in frozen before
> we release.
>
> We can do this in two ways:
> 1. Push XFree86 3.2 into frozen.
>
> 2. Apply a patch to fix the bug in frozen's source and rebuild X.
>
> I don't know which of 1 or 2 we can should do, but surely we must do
> one other the other and we must not release 1.2 without it.
I'm not happy with pushing a new package into frozen on short notice,
but 1 is probably a better option. XFree86 3.2 has been in beta test
for months and fixes some problems with certain video chipsets.
Normally, it's a bad idea to upgrade "close to the bleeding edge", but
programs that are close to the hardware (the kernel, XFree86, etc.)
usually have a harder time keeping up in the Linux world and you have
to accept a bit more danger than for more stable programs or you don't
get anything done.
Dan
--
Daniel Quinlan <quinlan@pathname.com> | finger quinlan@pathname.com for PGP
quinlan@transmeta.com (at work) | http://www.pathname.com/~quinlan/
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: