Hi Ola,
Am 30.04.2017 um 22:00 schrieb Ola Lundqvist:
> Hi Markus
>
> I think we mostly agree on things here. Good to know.
>
> There are some minor comments I have though:
> 1) There are to my knowledge two types of "no-dsa". One "Minor issue
> will be fixed in next point release" and another "Minor issue". I have
> been told that if security team decides for a "minor issue" LTS should
> in most cases do the same. However if it is a "minor issue will be fixed
> in next point release" we should probably fix it as usual.
I think everyone who triages packages has to make a decision from time
to time. It can be right or wrong. In my opinion we should not blindly
follow "no-dsa" tags from the security team but instead use the
opportunity to doublecheck issues and make up our own mind. Nevertheless
to a very high degree the security team's decisions are reasonable of
course and often when I triage packages I follow Jessie too.
My point is that "no-dsa" is not final and absolute. If you catch
yourself spending ten hours on a single issue and end up backporting
large portions of the latest upstream release for a no-dsa bug, it might
not really be the best thing to do. But if the fix is straightforward
and manageable and there is even a more serious bug, it shouldn't be
much of an issue to fix the no-dsa bugs as well. Let's face it most of
the Jessie no-dsa CVE won't be fixed in a point release unless we do it
now or in the next LTS.
> 2) Regarding DoS class. I agree that this can be serious, but to me it
> looks like there are no actual service software that depend on this
> library. Just desktop software. We could however consider custom-built
> software that directly depend on this library. I find that to be a
> rather unlikely situation. Still it can be considered.
I consider desktop software like scribus or calibre to be valid
consumers of libpodofo and there is even libpodofo-utils which includes
tools to manipulate PDF files. The latter is suitable for use on server
systems. I think we shouldn't discriminate between server and desktop
though.
> Apart from these comments I agree with you.
>
> One question to you. Will you look further into fixing the rest of the
> problems? In that case I can add the dla-needed.txt file with your name
> on it. :-)
I have talked to Mattia, the maintainer of libpodofo. He intends to fix
these bugs in unstable and Jessie as well as soon as upstream released
more updates. He will be able to reuse my patches for Jessie. At the
moment I don't intend to assign myself to libpodofo again because
upstream is rather slow with fixing those CVEs. Maybe later but if
someone else wants to work on it now, please go ahead.
Cheers,
Markus