Re: privilege escalation and potential data loss in logrotate
Hi,
> (copying the thread to debian-devel, where mass-bug-fills *has to* be
> discussed, not d-qa)
As such I would suggest completely moving this thread over to d-devel
and dropping d-qa from subsequent mails.
[...]
> > If I don't see any solution emerging in a reasonable time frame, my next
> > step would be a more-or-less mass filing against all those packages that
> > some rough analysis suggests are affected by either the vulnerability
> > or the regression so that their maintainers can take measures to work
> > around the problem if they want to.
>
> So, instead of fixing logrotate in stable (did you contact release
> team to ask if a NMU is possible?), so just one package, you preferred
> to file 32 bugs[1] for all the affected packages? also with phrases
> like "I don't remember how I made the tests, or if the bugs are still
> there, but trust me there's a problem" it's kinda upsetting and/or
> unprofessional.
Would you mind pointing out where I wrote this particular sentence or
alternatively retracting that quote? Thanks.
Also, apparently I haven't stated this with sufficient clarity yet: I have
been trying to get logrotate fixed for over four years now by supplying
patches, being responsive to the maintainer, notifying the security team
of the issue, trying to get a discussion started on d-qa, all with very
limited success. So much for upsetting and unprofessional.
Also: No, I didn't. I'm sorry if I didn't find the right way to do things
in debian's bureaucracy, but I am not a debian developer and I tried
to be careful--and at least logrotate's maintainer obviously knew what
I was up to, plus anyone on d-qa who read my mail there also could have
pointed me in the right direction, so I won't take the blame for that.
> If you really care about this problem, which is nice, try to get
> logrotate fixed.
Would you mind explaining how to go about that?
Florian
Reply to: