ORBit and HELIX
Ok, I suppose I'll jump in. I'm the debian maintainer for the orbit
package. And, between my grandiose plans for redoing the packaging
completely, and a lack of free time lately, I've gotten somewhat
behind -- from the outside, it probably appears like I'm just slacking
off.
So I'll be perfectly happy to turn orbit over to you, Peter, and to
Helix, but only if certain requirements are met. All the patches I've
sent to Sopwith have gotten dropped on the floor. (I think he doesn't
like Debian -- or maybe he just doesn't like me.)
There is at least one security issue that needs to be addressed, and
one build problem. Maybe Helix will have more leverage to get these
changes installed upstream, but I want to make sure they don't get
overlooked.
(If these changes are already in the Helix debs, then I apologize for
wasting everyone's time, but I'm on low-bandwidth till Tuesday, and
can't easily check.)
1. Security: someone discovered a trivial denial-of-service for the
panel. I came up with a quick-and-dirty solution -- disabling TCP
by default in /etc/orbitrc. My postinst creates /etc/orbitrc if
and only if it doesn't already exist.
a) this should probably be a conffile. Or a better solution
should be found.
b) whatever solution is found, it has to be backwards compatible
with my quick-hack solution, which is in potato.
2. Build: as shipped, the orbit sources try to unpack libwrap.a and
then link those object files directly into liborbit.so. However,
libwrap.a is not compiled with -fPIC, so this completely fails to
work on one or two platforms (Sparc, I think). Debian has
libwrap.so, so the proper solution, which I used, is to link
against that.
Now, if the Helix orbit deb is truly lintian-clean, then I assume that
the latter problem was addressed. But I'd just like to make sure that
both of these problems have been handled properly before turning over
ownership of the package. Especially the former, which isn't visible
to lintian.
Feel free to email me off-list if you have any boring questions or
comments about any of this. ;-)
cheers
--
Chris Waters xtifr@dsp.net | I have a truly elegant proof of the
or xtifr@debian.org | above, but it is too long to fit into
http://www.dsp.net/xtifr | this .signature file.
Reply to: