Re: April report

To: Antoine Beaupré <anarcat@orangeseeds.org>, debian-lts@lists.debian.org
Subject: Re: April report
From: Brian May <bam@debian.org>
Date: Mon, 08 May 2017 17:28:34 +1000
Message-id: <[🔎] 87inlbvmcd.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 87mvau4c4x.fsf@prune.linuxpenguins.xyz>
References: <87bmvsemjq.fsf@prune.linuxpenguins.xyz> <87pohbdlcs.fsf@prune.linuxpenguins.xyz> <87lgqw938f.fsf@prune.linuxpenguins.xyz> <874lxk4mm7.fsf@curie.anarc.at> <8760i082z1.fsf@prune.linuxpenguins.xyz> <87zif33oxf.fsf@curie.anarc.at> <[🔎] 87mvau4c4x.fsf@prune.linuxpenguins.xyz>

I am just about to untake xbmc. I don't think it makes sense to continue.

Upstream bug report:
https://trac.kodi.tv/ticket/17314

This issue, and the lack of response to the upstream bug report, clearly
makes me think upstream is not serious about security issues. As such I
think this webserver (any version) should restricted to trusted networks
by trusted users.

The reasons I feel it is unwise to continue:

* Possibility of other security issues. Probably suffers CRSF
  vulnerabilities if nothing else (No, I haven't checked properly -
  except by "grep -i CRSF" in source).
* No fixes available for any version available.
* No response to upstream bug report - Was opened in February.
* Possibility that designing my own fix might break something or not fix
  it properly.
* I don't see any evidence of tests being run during builds that might
  pick up on breakage I might accidentally introduce.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: April report
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Firefox ESR large text file rendering problem
Next by Date: potrace
Previous by thread: Re: April report
Next by thread: Re: April report
Index(es):
- Date
- Thread