also sprach Nathan E Norman <email@example.com> [2002.04.03.0732 +0200]: > > well, i am calm, but i disagree. sure, it boils down to the question > > who debian's audience are, but for all i am concerned, debian's > > reputation _used_ to include "security", and the reason why i'd (as in > > "would" and "had") install(ed) debian was because i didn't need to be > > worrying about the obvious and hence i could spend my resources on > > other things. had i wanted to patch one-year-old bugs in software that > > installs from the "security archives", then i might have just chosen > > to "fly" redhat. i don't understand why you aren't understanding this. > > i am not at all against finding the real bug as well as investigating > > why: > > See, paragraphs like this directly contradict you statement above that > you don't want a flame war. Debian "used to include security"? > Apparently you no longer run Debian? Does this mean you've wiothdrawn > your name for the NM queue? no and no. i will continue to run debian and i'll support the project! i am just joining in with the group of people who see debian's reputation and quality not keeping up with what it used to be. i see no alternative to debian and so i want to prevent this degradation, simple as that. i am also not attacking anyone, not even the project. what i wrote is based on facts and experience, and if at all, then it should give everyone partaking in the project something to think about. > Are you willing to abandon the hyperbole and put forward rational > arguments as to why your solution is best? because it will prevent s.d.o from serving a buggy package. it's not fixed perfectly, but at least it's not subject to a known exploit. it's not the best, but it's IMHO really only beaten by the fix of the root of the bug *right now*. this fix isn't available, so i suggest bridging the time until we can patch proftpd properly with a temporary fix. you know, just so that when i have s.d.o in my sources.list, i can actually rely on debian as i usually do. > The temporary patch is, well, temporary. It only works on a new > install; otherwise the admin has to examine their config file by hand > to make the change. well, we have debconf to help. and postinst scripts can be quite intelligent... > Worst of all, since the bug was thought to be fixed but isn't, the > temporary fix may not in fact prevent the exploit. If the exploit > is part of libc globbing code, it may be exploitable in other code, > not just proftpd. of course. i am not arguing against that. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck there's an old proverb that says just about whatever you want it to.
Description: PGP signature