Re: Passwd packages are too buggy (need help?)
Javier Fernández-Sanguino Peña <jfs@computer.org> writes:
> Karl, I have just recently browsed the passwd packages bugs and there are
> quite a number of them who have not been addressed (some) for over a year.
> Many of these bugs could be considered security related because some of
> the tools provided will not work with MD5 passwods (recommended in Debian
> installation).
Many of the older ones I inherited from the previous maintainer, and many
of them I believe were fixed by the previous maintainer still open because
I tend to put new packages ahead of debbugs maintenance.
> Many bug reports do not even have a followup by the maintainer saying:
> "this is true, will fix". There is a new release upstream (as #150237
> says) that seems to fix some of the bugs (such as #142070, #89803, #81721)
> since PAM support has been added (as far as I can see in
> http://cvs.pld.org.pl/shadow/ChangeLog?rev=1.1) also these entries are
> important:
I know about the new release. Why does everyone assume that I don't? I'm
currently slogging through the debian-specific patches from the
previous-version packaging, and not enjoying it very much because the new
upstream reformatted all the C code.
> * src/useradd.c:
> - fix a security bug (adduser could overwrite previously existing
> groups (shadow-19990827-group.patch from RH),
> * lib/commonio.c:
> - installed fix for SEGV when using pwck -s on /etc/passwd file
> with
> empty lines in it
Neither of those seem especially earth-shattering. Annoying, yes, but not
earth shattering [and I'd need some convincing that the useradd bug was
actually a security problem.]
> Most other changes are documentation-related (translated manpages).
>
> Do you need help with this package? You could consider uploading a new
> upstream version up to experimental and ask bug-trackers to follow it and
> see if it fixes (some of) the bugs that are currently over a year old.
What I have now works for me, but I suspect it would be badly broken for
most people. I'll consider whether I'll die of embarrassment if I upload
it to experimental.
> PS: Incidently I just filed a bug against xscreensaver and against passwd,
> sorry :(
Hmm, don't see your passwd bug yet. And I'm not convinced at all by your
xscreensaver bug. :-)
kcr
Reply to: