Bug#516394: removal of djbdns ?

To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 516394@bugs.debian.org, Matija Nalis <mnalis-debianbug@voyager.hr>
Subject: Bug#516394: removal of djbdns ?
From: Peter Pentchev <roam@ringlet.net>
Date: Mon, 27 Jul 2020 17:20:23 +0300
Message-id: <[🔎] 20200727142023.GA625854@straylight.m.ringlet.net>
Reply-to: Peter Pentchev <roam@ringlet.net>, 516394@bugs.debian.org
In-reply-to: <20200608174422.GA21199@leia.torres.voyager.hr>
References: <20200608174422.GA21199@leia.torres.voyager.hr> <20090221072014.17067.14562.reportbug@babytalk.mithril-linux.org>

On Mon, Jun 08, 2020 at 07:44:22PM +0200, Matija Nalis wrote:
> Hi,
> 
> I see djbdns is removed from testing, due to unarchiving of 
> critical bug #516394
> 
> However, as source package djbdns 1:1.05-11 builds several binary
> packages (axfrdns, djbdns-conf, djbdns-utils, rbldns, tinydns,
> walldns) and the bug is only in (if not patched) dnscache, 
> would other packages reenter testing and later new stable Debian?

Hi,

I just adopted the djbdns package; the 1:1.05-12 upload with a couple of
packaging fixes should hit unstable in the mirror sync (it has already
been built on most architectures; I'll drop the lsof build dependency in
the next upload so that it builds on even more).  Apropos, let me
express my thanks to Dmitry Bogatov for the large overhaul in 1:1.05-10:
bringing the Debian packaging up to date and incorporating some bugfixes
from other packaging systems.

Now... related to that. I am not sure whether Moritz Muehlenhoff, when
reopening this bug, was aware of the fact that Dmitry Bogatov included
two patches from Jeff King that address the cache poisoning attack -
and actually, the patches were mentioned in this bug log by Matija Nalis
back in 2010. Moritz, is it possible that you had missed the inclusion
of these two patches, or do you believe that they, by themselves, are
still not enough to address this problem? If so, that would indeed be
kind of unfortunate, since it is my impression that these particular
patches are considered the best way to handle this among users of
Prof. Bernstein's software.

Of course, I do not intend to argue with the Security Team - I only have
the utmost respect and gratitude for everything you people do for
Debian! So if it is still your collective stated position that Jeff
King's patches, applied to the djbdns package in Debian as
debian/patches/0007-dnscache-merge-similar-outgoing-udp-packets.patch
and debian/patches/0008-Cache-SOA-records.patch, are not enough, then
I guess I may have to look for some other way to manage the situation,
possibly breaking dnscache off into its own source package to allow
the rest to eventually migrate to testing.

I am late in coming to this discussion, so let me express my thanks to
everyone who has spoken their mind in good faith in the bug log.
Here's hoping we find some way to move forward :)

G'luck,
Peter

-- 
Peter Pentchev  roam@ringlet.net roam@debian.org pp@storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Bug#966366: json-c: Please package new release (0.15)
Next by Date: Bug#957579: marked as done (naspro-bridges: ftbfs with GCC-10)
Previous by thread: Bug#966366: json-c: Please package new release (0.15)
Next by thread: Bug#957579: marked as done (naspro-bridges: ftbfs with GCC-10)
Index(es):
- Date
- Thread