Re: Proposal for removal of mICQ package
>>>>> In article <[🔎] 20030213165225.GB7379@azure.humbug.org.au>, Anthony Towns <email@example.com> writes:
> On the other hand, this makes no sense at all. The package doesn't
> have intractable security holes, or license problems, and the bugs
> that've gotten us into this mess are all trivial to fix. From what
> I've read of his posts, the upstream author doesn't even seem
> particularly unreasonable in any of his demands, or even
> particularly more obnoxious than various other people around the
Let me get this straight. The upstream author, who is annoyed
at he debian developer, decided to break the program for every
debian user, delibrately? He also cleverly, and deceptively, not
only obfuscated the code, but to ensure maximal distribution of the
trojan, effectively made the program work for the person he knows
In other words, he introduced what would be a grave bug in
the software, and covered his tracks, delibrately impacting Debian
Is this not a tactic used to pull in users of the software,
offer them as collateral damage in an attempt to blackmail the
project? This sounds akin to the crackers who break in to deface web
sites to ``help'' site owners and users by pointing out how insecure
their practices are.
I find this very worrisome. I find attempting to brush this
under the carpet even more so.
This seems to be an extreme lack of judgment. People have
told me that at least all it did was delibrately make the progema
non functional on Debian, and that there was no data loss.
This time there was not. In extreme reactions in a fit of
temper, the reactions escalate; the second time you introduce a
trojan it is less satisfying than it was the first time. How can you
be sure that the next time, in order to drive the messsage home,
the trojan would not do rm -rf ~/. ?
In other words, I find this action a serious breach of trust;
and I do not think, under our social contract, and in the interest of
our users, we can let software from this person into Debian unvetted.
This was a delibrate attempt to harm our users. And before
you belittle the damage, consider this: to users of this package,
the software has a utility function; and by making that software not
work was a delibrate act of sabotage.
> Personally, "drop any and all packages that these could affect"
> seems like a pretty poor solution, both in that it loses the most
> functionality of all possible solutions, and in that it can only be
> done after the fact.
I suggest we pull this package from Debian until we have
performed a full audit on it (after all, who know who else he may
have been mad at, and what constituencies are now affected by his
Once we have audited the code, we would effectively have to
fork it, since no upstream changes can be trusted either. Far
less bother to fork it
We can explain in README.Debian wgy we no longer consider
Witch! Witch! They'll burn ya! Hag, "Tomorrow is Yesterday",
Manoj Srivastava <firstname.lastname@example.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C