[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Upcoming Debian Releases

Brian White writes:
...
> Possible options:
>  - Remove Xt from Rex
>  - Replace Xt in Rex with the one from Buzz
>  - Provide info about this problem, suggest upgrading from Bo
>  - Release as is, incroporate patch into Rex-fixed when available
> 
> I suggest the last, if it is important enough.
> 
> No release will ever be perfect.  There will always be "one more thing"
> that should be done.  I cannot see how this problem is any more serious
> that people still having problems such as gzip/compress links because the
> last release was so long ago.

I'm sorry to say this but you obviously don't understand what I'm
talking about.

There is a buffer overrun bug in the X Toolkit Intrinsics, a core part
of X.  When coupled with xterm's setuid-rootness this means that
anyone on a system with an unfixed X distribution can gain root
acces.

Stephen Early, the X maintainer, says that it is impractical to build
a patched version of XFree86 3.1.2.

We therefore seemed to me a few days ago to have concluded that
XFree86 3.2 should be pushed into frozen.

However, this has not happened and there has been little time to
test this software.

The reports that I've heard of it are generally favourable, so I do
think that X 3.2 should be pushed into frozen.

Your options boil down as follows:
>  - Remove Xt from Rex

Ie, remove the X Window System from Debian 1.2.  Shurely shome
mishtake ?

>  - Replace Xt in Rex with the one from Buzz

Ie, release Debian 1.2 with XFree86 3.2.  This is a major change, but
is probably what we should do.

>  - Provide info about this problem, suggest upgrading from Bo

I can see it now: `We are pleased to announce the release of Debian
1.2.  Because we were so desperate to ship we've given you a nice
security hole; please use the X packages from the unreleased tree
instead if you require security'.

>  - Release as is, incroporate patch into Rex-fixed when available

`Incorporate patch' means `switch from XFree86 3.1.2 to XFree86 1.2'.
This is not something we should do on a patchlevel change.

Ian.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: