Re: setuid/setgid binaries contained in the Debian repository.
On Sun, 3 Aug 2003 03:14:23 -0400, Matt Zimmerman <mdz@debian.org> said:
> On Sat, Aug 02, 2003 at 08:58:00PM -0500, Manoj Srivastava wrote:
> This bug and others existed in your package for over four years (and
> still exist in stable today). We might still not know about it if
> you had not brought the package to my attention for review. Steve
> Kemp might have eventually discovered it in the course of his
> auditing, but I don't know whether he is spending his time on
> non-free software such as angband.
You note that the bugs have been fixed over a year ago.
> The review, simplistic though it was, uncovered flaws in the package
> in stable which were overlooked by the maintainer. This kind of
> situation is often preventable through discussion and code review,
> as you have seen. I would like to promote this beneficial process
> within Debian in order to reduce the workload of the security team
> and the presence of vulnerabilities in our stable releases.
I haven't objected to code reviews of packages; I objected to
gathering consensus through discussion; and making admission of new
packages incumbent on such consensus.
Now, if this proposal is all about getting the code reviewd,
and it is merely a recommendation, as you have implied recently, then
change the stated wording to reflect that.
manoj
--
"You can measure a programmer's perspective by noting his attitude on
the continuing viability of Fortran." Alan Perlis
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: