RE: Proposal for removal of mICQ package

To: <debian-devel@lists.debian.org>
Subject: RE: Proposal for removal of mICQ package
From: "John Swanson" <jcs@jcswan.com>
Date: Fri, 14 Feb 2003 10:03:04 -0500
Message-id: <[🔎] 7683FAEA15B8804E885367DD0F0DE1CE242F40@Exchange.isa-inc.com>
In-reply-to: <[🔎] 20030213214919.GF24070@zewt.org>

First off I would like to say that I don't think Rüdiger took the best
course of action in this.  That aside I say it is his software he can do
what ever he wants to it.  He had issues with the package that he was
unable to work out with the maintainer and wanted to directly inform the
users of mICQ and to provide a package that solved the problems.  He did
not try to make Debian look stupid.

The simple solution is to fix the problems that he has with the package.
I see no evidence that he had any malicious intent nor that he would in
the future.  We also need to make sure that something similar isn't
attempted by someone with the goal of harming Debian and its users.

We need to focus less on what he did and more on the breakdown of
communication between upstream, the maintainer, and Debian as a whole,
and on the security hole that this incident has revealed.

-----Original Message-----
From: Glenn Maynard [mailto:g_deb@zewt.org] 
Sent: Thursday, February 13, 2003 4:49 PM
To: debian-devel@lists.debian.org
Subject: Re: Proposal for removal of mICQ package

On Thu, Feb 13, 2003 at 09:24:05PM +0100, Tore Anderson wrote:
> * Rüdiger Kuhlmann
> 
>  > Nice for you. I'll tell my users to only use the Official version 
> from  > micq.org until you stop garbling the package and start 
> cooperating.
> 
> * Martin Loschwitz
> 
>  > Do whatever you want.
> 
>   ..and if you take into account the mood of the discussion, I read  
> your comment as more of an encouragement.  He did exactly what he  
> said he'd do, and by doing so demonstrated that you're not doing  
> proper QA on your packages.  IMO, you've got a well-deserved slap,  
> and have no reason to sulk over it.  Upstream didn't introduce any  
> security holes, nor do I get the impression that he intends to.

He didn't say he'd do so in the program, and the fact that he obfuscated
it indicates that he didn't want it to be found, so it's clear that the
text you quoted was *not* an indication that he was going to do what he
did.

I can't believe people are defending the act of slipping obfuscated code
into a program designed to not be seen by the maintainer and to make
Debian look stupid.  Whether or not this is seen as a serious offense
(which I believe it is; it's a breach of trust), it's certainly
unacceptable.

-- 
Glenn Maynard

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Proposal for removal of mICQ package
  - From: Michael Stone <mstone@debian.org>
- Re: Proposal for removal of mICQ package
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Proposal for removal of mICQ package
  - From: Glenn Maynard <g_deb@zewt.org>

Prev by Date: Re: [internal-projects] [Debian-multimedia] Start an official internal project!
Next by Date: Re: TLS support in openldap-2.0.x vs 2.1.x
Previous by thread: Re: Proposal for removal of mICQ package
Next by thread: Re: Proposal for removal of mICQ package
Index(es):
- Date
- Thread