ORBit and HELIX

To: Peter Teichman <peter@helixcode.com>
Cc: debian-gtk-gnome@lists.debian.org
Subject: ORBit and HELIX
From: Chris Waters <xtifr@dsp.net>
Date: 26 May 2000 13:38:36 -0700
Message-id: <[🔎] 87d7m9rqr7.fsf@dsp.net>

Ok, I suppose I'll jump in.  I'm the debian maintainer for the orbit
package.  And, between my grandiose plans for redoing the packaging
completely, and a lack of free time lately, I've gotten somewhat
behind -- from the outside, it probably appears like I'm just slacking
off.

So I'll be perfectly happy to turn orbit over to you, Peter, and to
Helix, but only if certain requirements are met.  All the patches I've
sent to Sopwith have gotten dropped on the floor.  (I think he doesn't
like Debian -- or maybe he just doesn't like me.)

There is at least one security issue that needs to be addressed, and
one build problem.  Maybe Helix will have more leverage to get these
changes installed upstream, but I want to make sure they don't get
overlooked.

(If these changes are already in the Helix debs, then I apologize for
wasting everyone's time, but I'm on low-bandwidth till Tuesday, and
can't easily check.)

1.  Security:  someone discovered a trivial denial-of-service for the
    panel.  I came up with a quick-and-dirty solution -- disabling TCP
    by default in /etc/orbitrc.  My postinst creates /etc/orbitrc if
    and only if it doesn't already exist.

    a) this should probably be a conffile.  Or a better solution
       should be found.
    b) whatever solution is found, it has to be backwards compatible
       with my quick-hack solution, which is in potato.

2.  Build: as shipped, the orbit sources try to unpack libwrap.a and
    then link those object files directly into liborbit.so.  However,
    libwrap.a is not compiled with -fPIC, so this completely fails to
    work on one or two platforms (Sparc, I think).  Debian has
    libwrap.so, so the proper solution, which I used, is to link
    against that.

Now, if the Helix orbit deb is truly lintian-clean, then I assume that
the latter problem was addressed.  But I'd just like to make sure that
both of these problems have been handled properly before turning over
ownership of the package.  Especially the former, which isn't visible
to lintian.

Feel free to email me off-list if you have any boring questions or
comments about any of this.  ;-)

cheers
-- 
Chris Waters   xtifr@dsp.net | I have a truly elegant proof of the
      or    xtifr@debian.org | above, but it is too long to fit into
http://www.dsp.net/xtifr     | this .signature file.

Reply to:

Prev by Date: Re: HELIX GNOME packages vs. Debian GNOME packages
Previous by thread: Re: HELIX GNOME packages vs. Debian GNOME packages
Index(es):
- Date
- Thread