On Tue, 4 Nov 2008 03:40:22 pm Michael Gilbert wrote: > Dear release team, > > Thank you for making a decision on the direction for bug #449497 in > foo2zjs [1]. I believe that this is a reasonable choice for now due > to the impending release. However, I would really like to see an > honest and consructive conversation on the issue. I believe that > there are some major security and functionality problems with fetching > scripts, and there should be clear direction from the members of the > debian project on the matter. I would like to be able to completely > trust main, so it is my hope that developers would do everything in > their power to keep main as clean and safe as possible. I am just a > user, so I feel powerless to do anything, and my experience dealing > with this issue through the foo2zjs maintainers was not exactly > constructive [2],[3],[4] (primarily because of over-reactiveness and > hyper sensitivity on their part and perhaps a lack of appreciation for > debian's bug command and control authority [5] on my part -- and of > course some good old misunderstanding and misinterpretation). Where > do I go from here to make sure the issue gets the appropriate level of > thought and consideration that it deserves (after lenny gets released > of course)? > > Best wishes, > Michael Gilbert > > [1] http://lists.debian.org/debian-release/2008/11/msg00106.html > [2] http://bugs.debian.org/449497 > [3] http://bugs.debian.org/503813 > [4] http://bugs.debian.org/503814 > [5] http://lists.debian.org/debian-ctte/2008/10/msg00006.html Please let me just say two things. First we are not over-sensitive or anything, but we took your ideas into consideration and even asked for advice. I think we were pretty sensible in that manner, so please stop stating otherwise. Furthermore, the script is not automatically called and users know what they are doing (or at least they should), when they call it. Maybe we could even add an additional warning, which I would definitely be open to. Now to your "security concerns". Since this script explicitely downloads stuff from an author's webpage (and it is stated like that), the user knows the risk. Are you proposing to call this a security issue? Then packages like iceweasel are also affected and many others ... We can talk about putting the script somwhere else or do $whatever with it after the release, but not for lenny. So please stop the noise and get back to us about it after the release. I promise that I'll do my best to find a solution that suits everyone. But right now you create more work for other people, including me, which I could spend on security related work. Thanks in advance. Cheers Steffen
Attachment:
signature.asc
Description: This is a digitally signed message part.