[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#504758: gforge-plugins-extra ships security issues-prone code copies

2008/11/9 Roland Mas <lolando@debian.org>:
> tag 504758 + help
> thanks
> Raphael Geissert, 2008-11-06 15:42:52 -0600 :
>> Package: gforge-plugins-extra
>> Severity: serious
>> Version: 4.7~rc2-5
>> Tags: security
>> Hi,
>> By taking a look at the list of files shipped by
>> gforge-plugins-extra I can easily see several scripts which are
>> already in the Debian archive. I'm using 'serious' as the severity
>> given the fact that in many of the already packaged scripts security
>> issues have been found in the past.
> I'm sort of aware of that, but I'm undecided as to how to react.  This
> package contains plugins that are not exactly supported (by me at
> least), and these plugins are not installed or made operational when
> the package is installed.  They require manual intervention to set up,
> and are only shipped as part of a deb as a convenience.

So, if they need to be manually configured why aren't the sample
config files shipped and the packages put in Recommends?

If that would work please say so, as I could find some time to do it.

> The way I see it, there are three ways out:
> - prepare a new upload that doesn't contain this binary package, and
>  leave users with the task of getting the code from the source
>  package and installing it by hand;
> - ignore this bug for lenny, since one could argue that the code isn't
>  actually made operational by the mere installation of the package;

But it is code that is meant to be used (as it is the only reason why
that binary package is built) and is therefore affected by any
security issue published.

> - actually patch the code to use system-provided packages, and update
>  dependencies accordingly.  This has already been done for some
>  libraries (Snoopy and FCKeditor), and it's not a huge task, but I
>  probably won't have time to tackle it before the lenny release
>  (real-life time constraints abound).
> I'm therefore soliciting advice and/or help on that problem.
> Roland.
> --
> Roland Mas
> A lesson for you all: never fall in love during a total eclipse.
>  -- Senex, in A Funny Thing Happened on the Way to the Forum

Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Charles M. Schulz  - "I have a new philosophy. I'm only going to dread
one day at a time."

Reply to: