Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)

To: Holger Levsen <holger@layer-acht.org>, Abhijith PA <abhijith@disroot.org>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)
From: Antoine Beaupré <anarcat@debian.org>
Date: Thu, 27 Dec 2018 17:45:56 -0500
Message-id: <[🔎] 87tviy4mhn.fsf@curie.anarc.at>
In-reply-to: <[🔎] 20181227141622.3dq5ivs7sqzfgu5e@layer-acht.org>
References: <[🔎] 1e9d9077-0e95-c4bf-d3dd-0e4c63b327c4@disroot.org> <[🔎] 20181227141622.3dq5ivs7sqzfgu5e@layer-acht.org>

On 2018-12-27 14:16:22, Holger Levsen wrote:
> Hi Abhijith, Antoine,
>
> I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude
> linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last
> NOTE entries were more than 3 weeks ago. However Abhijith wrote here:
>
> On Sat, Dec 22, 2018 at 01:02:06PM +0530, Abhijith PA wrote:
>> I am currently working on pdns[1] and pdns-recursor's[2] security issues
>> and which are marked as no-DSA, postponed. Last month I picked it up as
>> I had some time remaining. Upstream patch is available for the remaining
>> issues(CVE-2018-10851, CVE-2018-14644). Both patches contain C++11
>> specific code and I was only able to port CVE-2018-14644. In
>> CVE-2018-10851 I used 'boost' library's smart pointers to deal with the
>> default C++11 smart pointers, but I am not quite there. I was wondering
>> whether anyone here can _help_ me with it. I don't want to spend anymore
>
> Abhijith, thanks for this update! Just please also update the notes for
> these packages in data/dla-needed.txt.
>
> Antoine, this is an example were automatic unclaim might be problematic,
> as it would have unclaimed pdns/pdns-recursor which is not ideal. (For
> now, just ment as a data point.)

I'm not sure it would be that problematic. I think Abhijith could
(should?) have posted a note in dla-needed.txt summarizing this
situation or adding a pointer to the above email.

The idea, anyways, is that worst case the issue gets unclaimed and
reclaimed by someone else. In the above case, Abhijith specifically
identified that as a *desirable* outcome, so I'm not sure it's really a
problem.

Personally, I believe the general case of unexpected unclaims will be
the package will be unclaimed and *not* claimed by anyone else. At least
that's my experience of unclaiming "hard" packages that I couldn't
finish within a month.

A.

-- 
Non qui parum habet, sed qui plus cupit, pauper est.
It is not the man who has too little, but the man who craves more,
that is poor.            - Lucius Annaeus Seneca (65 AD)

Reply to:

References:
- pdns/pdns-recursor
  - From: Abhijith PA <abhijith@disroot.org>
- limits of automatic unclaiming (Re: pdns/pdns-recursor)
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: MySQL 5.5 EOL before Debian 8 LTS ends
Next by Date: Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Previous by thread: Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)
Next by thread: RFC: proposed fix for CVE-2018-19518 in uw-imap
Index(es):
- Date
- Thread