On Fri, Jan 13, 2012 at 12:57:37AM +0100, Mike Gabriel wrote: > On Fr 13 Jan 2012 00:37:57 CET Stefan Lippers-Hollmann wrote: > >forked monolithic X.org 6.9 source tree. > > This is indeed the case. I can't speak for the ftpmasters and Security Team, but honestly I can't see why they would allow this in the archive or in any stable release, respectively. > >Most likely with little to no bug-/ security fixes since 2005 - or am > >I missing anything vital in that packaging git? Likewise the current > >debian/copyright appears to lack all copyright notices of the original > >XFree86/ X.org code, which makes up, by far, most of the source. > > The X2Go upstream team will be open to security and feature patches > and will love to be pointed at security issues discovered. In the > very very very long run there might be someone (we are currently > talking about people in Austria being interested in such a project) > who refactors NX for latest Xorg code, but currently what we can > provide is an active maintenance of NoMachine's code. I think you're missing the issue here. Since X.org 6.9, there's been a lot of bug fixes and improved code. So you're essentially using an obsolete codebase with a new protocol hacked on. The Security Team does not like code copies. Porters do not like patching the same software again and again, except with slight differences that make it impossible to reuse the same patches[0]. The Debian X Strike Force has lots of bugs that need to be dealt with, very likely because of a lack of time and manpower[1]. If your code is a fork of 6.9, then all those bugs that were dealt with previously (or are still present) are probably present in your code. Also, even though X2Go may provide security support for nx-libs, the Debian Security Team still has to issue DSAs and build packages on all of the release architectures independent of X2Go. [0] I have had the joy of assisting the kFreeBSD porters with patching every embedded and modified copy of libgc. [1] This is not a dig at the X Strike Force; they do a very good job with package maintenance and bug handling with the manpower they have. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature