Re: Proposal for removal of mICQ package

[Manoj Srivastava <srivasta@debian.org>]

>>>>> In article <[🔎] 20030213165225.GB7379@azure.humbug.org.au>, Anthony Towns <aj@azure.humbug.org.au> writes:

 > On the other hand, this makes no sense at all. The package doesn't
 > have intractable security holes, or license problems, and the bugs
 > that've gotten us into this mess are all trivial to fix. From what
 > I've read of his posts, the upstream author doesn't even seem
 > particularly unreasonable in any of his demands, or even
 > particularly more obnoxious than various other people around the
 > place.


	Let me get this straight. The upstream author, who is annoyed
 at he debian developer, decided to break the program for every
 debian user, delibrately? He also cleverly, and deceptively, not
 only obfuscated the code, but to ensure maximal distribution of the
 trojan, effectively made the program work for the person he knows
 packages it? 

	In other words, he introduced what would be a grave bug in
 the software, and covered his tracks, delibrately impacting Debian
 users?

	Is this not a tactic used to pull in users of the software,
 offer them as collateral damage in an attempt to blackmail the
 project? This sounds akin to the crackers who break in to deface web
 sites to ``help'' site owners and users by pointing out how insecure
 their practices are. 

	I find this very worrisome. I find attempting to brush this
 under the carpet even more so.

	This seems to be an extreme lack of judgment. People have
 told me that at least all it did was delibrately make the progema
 non functional on Debian, and that there was no data loss.

	This time there was not. In extreme reactions in a fit of
 temper, the reactions escalate; the second time you introduce a
 trojan it is less satisfying than it was the first time. How can you
 be sure that the next time, in order to drive the messsage home,
 the  trojan would not do rm -rf ~/. ?

	In other words, I find this action a serious breach of trust;
 and I do not think, under our social contract, and in the interest of
 our users, we can let software from this person into Debian unvetted.

	This was a delibrate attempt to harm our users. And before
 you belittle the damage, consider this: to users of this package,
 the software has a utility function; and by making that software not
 work was a delibrate act of sabotage.

 > Personally, "drop any and all packages that these could affect"
 > seems like a pretty poor solution, both in that it loses the most
 > functionality of all possible solutions, and in that it can only be
 > done after the fact.
	I suggest we pull this package from Debian until we have
 performed a full audit on it (after all, who know who else he may
 have been mad at, and what constituencies are now affected by his
 tantrums?)

	Once we have audited the code, we would effectively have to
 fork it, since no upstream changes can be trusted either. Far
 less bother to fork it 

	We can explain in README.Debian wgy we no longer consider
 upstream trustworthy.

	manoj
-- 
Witch!  Witch!  They'll burn ya! Hag, "Tomorrow is Yesterday",
stardate unknown
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C