Re: Upcoming Debian Releases
> > > There is a buffer overrun bug in the X Toolkit Intrinsics, a core part
> > > of X. When coupled with xterm's setuid-rootness this means that
> > > anyone on a system with an unfixed X distribution can gain root
> > > acces.
> >
> > Does this bug exist in Debian 1.1?
>
> Yes, it does. Both buzz and rex have the same X packages.
This diminishes the benefits of push 3.2 even further. If we
delay Rex by one month, then "stable" users are stuck with the
buggy X for only one more month. If we ship Rex as is and
release Bo in 3 months, then "stable" users are stuck with it
for only three more months. So, the total gain is only 2 months.
> > This is not practical. I've seen numerous bugs appear about X3.2,
> > especially in the "dependancy" area. It will take at least another
> > month for these to all get straightened out.
>
> But I don't think this month will be wasted. We can do more testing
> and fix a few other things as well, thus making the released system
> more stable (so there won't be too many Debian-1.2.x updates later).
Is sounds good, but I don't think it will help in the end. Bringing
in new packages, especially something as big as X, will probably
end up with even more problems over the upcoming months. At least
pushing X3.2 into Bo meant 3 months of testing it before release, not
just one.
> > Security holes such as this do not affect most users. Their
> > machines are secure because only they can get to them. Those people
> > who do host multiple users or manage networks know enough of what
> > they are doing to grab X3.2 from the "unreleased" tree.
>
> Well, it depends - I wouldn't assume that. There are many people
> who run large systems but are not programmers - I know, I get quite
> a lot of mail from people asking for help about (sometimes trivial)
> problems with the shadow suite. Those people who truly know what
> they are doing, can build their own distribution from sources :-).
If they are using the shadow suite, then they are already using
things from "experimental" and "unstable", so they are not people
who will be affected. It's only the people who restrict themselves
solely to the "stable" tree.
> > As opposed to "We are please to announce the release of Debian 1.2 has
> > slipped once again. Please use Debian 1.1 for the next 6-9 months or
> > use RedHat/Slackware instead if you require staying current."
>
> Why this next 6-9 months? We were talking about one month or so...
> The current rex is available for those who want to test it or need
> newer packages (in most cases there is no need to install the whole
> distribution, just these packages that you need) and Debian 1.1.x is
> not that bad anyway.
When was 1.2 _supposed_ to ship? It was at least one month ago, maybe
two. Debian has a very bad reputation for slipping releases.
> We made another major change, just before the freeze, that I would
> be more worried about than X3.2: libc 5.4.7 with the new malloc.
> It breaks buggy programs that happened to work with the older libc
> (like sysnews_0.8-2), so it would be good to have some more time
> for testing the whole system with the new libc.
If you recall, I fought to use libc5.2.18 in Rex, but Bruce overrode
me (again) and said that 5.4.7 was to be used.
Brian
( bcwhite@verisim.com )
-------------------------------------------------------------------------------
Debian GNU/Linux! Search it at http://insite.verisim.com/search/debian/simple
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: