Re: Upcoming Debian Releases
> > No release will ever be perfect. There will always be "one more thing"
> > that should be done. I cannot see how this problem is any more serious
> > that people still having problems such as gzip/compress links because the
> > last release was so long ago.
>
> I'm sorry to say this but you obviously don't understand what I'm
> talking about.
That could be. Nobody bothered to include me directly in this conversation
before.
> There is a buffer overrun bug in the X Toolkit Intrinsics, a core part
> of X. When coupled with xterm's setuid-rootness this means that
> anyone on a system with an unfixed X distribution can gain root
> acces.
Does this bug exist in Debian 1.1?
> Stephen Early, the X maintainer, says that it is impractical to build
> a patched version of XFree86 3.1.2.
>
> We therefore seemed to me a few days ago to have concluded that
> XFree86 3.2 should be pushed into frozen.
This is not practical. I've seen numerous bugs appear about X3.2,
especially in the "dependancy" area. It will take at least another
month for these to all get straightened out.
In addition, since 3.2 is a new release, there will invariably be
lots of little fixes over the coming weeks. Those will need to
be put into the distribution too (delaying it further), or people
will complain about how buggy Debian is and they will complain about
it for a year until we manage to get Debian 1.3 out the door.
Security holes such as this do not affect most users. Their
machines are secure because only they can get to them. Those people
who do host multiple users or manage networks know enough of what
they are doing to grab X3.2 from the "unreleased" tree.
There comes a time where you have to draw the line. You, Ian, were
one of the people who agreed to give me the authority over where
to draw that line.
> Your options boil down as follows:
> > - Remove Xt from Rex
>
> Ie, remove the X Window System from Debian 1.2. Shurely shome
> mishtake ?
Agreed.
> > - Replace Xt in Rex with the one from Buzz
>
> Ie, release Debian 1.2 with XFree86 3.2. This is a major change, but
> is probably what we should do.
I said "buzz", not "bo".
> > - Provide info about this problem, suggest upgrading from Bo
>
> I can see it now: `We are pleased to announce the release of Debian
> 1.2. Because we were so desperate to ship we've given you a nice
> security hole; please use the X packages from the unreleased tree
> instead if you require security'.
As opposed to "We are please to announce the release of Debian 1.2 has
slipped once again. Please use Debian 1.1 for the next 6-9 months or
use RedHat/Slackware instead if you require staying current."
> > - Release as is, incroporate patch into Rex-fixed when available
>
> `Incorporate patch' means `switch from XFree86 3.1.2 to XFree86 1.2'.
> This is not something we should do on a patchlevel change.
If you can not practically write a patch for X3.1.2, then I agree on
both counts.
Brian
( bcwhite@verisim.com )
-------------------------------------------------------------------------------
It's not the days in your life, but the life in your days that counts.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: