Your message dated Sat, 03 Apr 2010 18:43:44 +0000 with message-id <E1Ny8Js-0005WW-JK@ries.debian.org> and subject line Bug#481601: fixed in polipo 1.0.4.1-1 has caused the Debian Bug report #481601, regarding Debian-specific patch to Polipo: please revert to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 481601: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481601 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: "Denis V. Sirotkin" <fechiny@gmail.com>
- Cc: submit@bugs.debian.org
- Subject: Debian-specific patch to Polipo: please revert
- From: Juliusz Chroboczek <jch@pps.jussieu.fr>
- Date: Sat, 17 May 2008 12:07:48 +0200
- Message-id: <871w41i6q3.fsf@pirx.pps.jussieu.fr>
Package: polipo Version: 1.0.4-1 Denis, You apply the following patch to Debian's polipo: ++++ polipo-1.0.4/log.c +@@ -80,7 +80,9 @@ + + if(logFile != NULL && logFile->length > 0) { + FILE *f; ++ mode_t mask = umask(026); + f = fopen(logFile->string, "a"); ++ umask(mask); + if(f == NULL) { + do_log_error(L_ERROR, errno, "Couldn't open log file %s", + logFile->string); +@@ -340,7 +342,9 @@ + { + if(logFile) { + FILE *f; ++ mode_t mask = umask(026); + f = fopen(logFile->string, "a"); ++ umask(mask); + if(f == NULL) { + do_log_error(L_ERROR, errno, "Couldn't reopen log file %s", + logFile->string); I have thought it over, and I hereby requests that you revert this patch. There are just too many reasons why you should not have applied it. 1. You did apply a patch relating to security without an explicit ack From upstream. I hope it is clear from the recent OpenSSL debacle why this must not be done. 2. You did apply a patch without first trying to get it applied upstream. You did send me the patch, but only after you applied it. You should only ever apply a patch *after* the patch was rejected upstream *and* you fully understand the reasons why, and believe that these reasons do not apply to Debian. Sorry to beat a dead horse, but taking this approach would have avoided the recent OpenSSL debacle. 3. You changed Polipo's behaviour without documenting it The Debian binary of Polipo now behaves differently from the upstream binary. This will confuse your users and will confuse your friendly upstream when he tries to help your users with debugging. What is more, it will create a rather glaring security hole for anyone who replaces his Debian binary with an upstream binary (which is something people sometimes do, when they need a more recent version). 4. Your patch, while technically correct, will lead to bugs in the future. Your patch manipulates the process' *user* mask, which must never be manipulated by a program. The umask is a global process feature. It will cause a rather glaring security hole if I ever decide to use threads in Polipo. The proper way to do what you need is to use open(O_CREAT) with the right permissions (but obeying the umask), then pass the file descriptor to fdopen. Of course, the permissions should be configurable by a config variable. Any one of the above reasons is enough to ask you to revert this patch. Regards, JuliuszAttachment: pgpkKQNTSbsgY.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 481601-close@bugs.debian.org
- Subject: Bug#481601: fixed in polipo 1.0.4.1-1
- From: Erinn Clark <erinn@torproject.org>
- Date: Sat, 03 Apr 2010 18:43:44 +0000
- Message-id: <E1Ny8Js-0005WW-JK@ries.debian.org>
Source: polipo Source-Version: 1.0.4.1-1 We believe that the bug you reported is fixed in the latest version of polipo, which is due to be installed in the Debian FTP archive: polipo_1.0.4.1-1.diff.gz to main/p/polipo/polipo_1.0.4.1-1.diff.gz polipo_1.0.4.1-1.dsc to main/p/polipo/polipo_1.0.4.1-1.dsc polipo_1.0.4.1-1_i386.deb to main/p/polipo/polipo_1.0.4.1-1_i386.deb polipo_1.0.4.1.orig.tar.gz to main/p/polipo/polipo_1.0.4.1.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 481601@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Erinn Clark <erinn@torproject.org> (supplier of updated polipo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 31 Mar 2010 19:26:20 -0700 Source: polipo Binary: polipo Architecture: source i386 Version: 1.0.4.1-1 Distribution: unstable Urgency: low Maintainer: Erinn Clark <erinn@torproject.org> Changed-By: Erinn Clark <erinn@torproject.org> Description: polipo - a small, caching web proxy Closes: 481601 547047 574613 Changes: polipo (1.0.4.1-1) unstable; urgency=low . * New maintainer. * New upstream release. * Update Standards-Version to 3.8.4. * Remove duplicate word in long description (closes: #574613) * Remove 30_log-permission patch. (closes: #481601) * Remove 40_segfault_max_age.dpatch. (closes: #547047) * Remove 50_integer_overflow.dpatch. Fixed upstream. * Remove 60_security_fixes.dpatch. Fixed upstream. * Put /var/cache/polipo and /var/log/polipo in the .deb and stop managing them in postinst and postrm. * Remove offline and online options from polipo-control. Checksums-Sha1: 96410ff1e1d2bdb4b5fc8677023b6d62a4dfcca7 1325 polipo_1.0.4.1-1.dsc e755b585a9bba2b599a6bcc7c6f7035d3cb27bec 180121 polipo_1.0.4.1.orig.tar.gz 199ad14d780ed116e3168735e32e196fa3b066d7 10405 polipo_1.0.4.1-1.diff.gz b072e617b44242997f22b246c0629a280e3f6415 191566 polipo_1.0.4.1-1_i386.deb Checksums-Sha256: 32ec3a0f2a7e620895a17ec9a19734bcd7f84dab0fd8f1377f834cad35e6e1a9 1325 polipo_1.0.4.1-1.dsc 8d6fbfdec600d42823e483b0143704c6f179c349803028a4d2cef056b79f7cfa 180121 polipo_1.0.4.1.orig.tar.gz 22696b8b84264b0c2370435c830ffedcc35303f2c5daf2bd8ba1b8de9b05fd46 10405 polipo_1.0.4.1-1.diff.gz 51dc36e54a1306958735c1b8ab4418995750b6285573b79e5026f8faa0f1aa86 191566 polipo_1.0.4.1-1_i386.deb Files: eba3d707a38ae6704914b76304c79bf1 1325 web optional polipo_1.0.4.1-1.dsc bfc5c85289519658280e093a270d6703 180121 web optional polipo_1.0.4.1.orig.tar.gz 8e911db01b50aa682136843868a21b0d 10405 web optional polipo_1.0.4.1-1.diff.gz 4791684b3f9ee66e92776ab00523b596 191566 web optional polipo_1.0.4.1-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJLtBK3AAoJEEFvBhBj/uZZ21wH/jCVjb6nUUxqyuykU04lkmYG vso1eEneXOUA7ww+GG2EQrdsuxDikwJCFkBuccPPdziDBiCaSvbv9YuZ2bsvjM89 8EWkGuS08ihLE5EVMj8sEQPTnjSCkIKWbXG/D5+Uj5Eja3YPYMfiNjLIcQ1z1FI7 4/C7QL2v2NGPK8xe0c43Das9u3c+hG077fArLFbR9DSwfVQFqLnNpFe9nD0R50Fb f3e1yY8psc1Yu5lUDuh0W+qj++B9Ib85UP0vqMkAKT+82j1icWiWx92QRYr85Kn2 Rm3nWNaENW9G2I4Jbl6Gm6jSjLv+bwcNx21uXlY8HQjqGTdOpNi6wWtwReiapuU= =tE8e -----END PGP SIGNATURE-----
--- End Message ---