On Mon, Apr 21, 2003 at 08:18:50AM -0700, Neil Schemenauer wrote: > > 80888 followup: work out what to do about this package > This is the dnrd security bug. I still don't know what to do about it. > I don't have time nor do I want to rewrite a piece of software I don't > use. The upstream maintainer does not seem to care. The Debian > maintainer does not have the experience. The daemon runs under its own > UID in a chroot jail so a cracker would have a tough time doing any > damage. However, if you are sufficiently paranoid, you would not use > the package. Should we remove it? I'm paranoid but I wouldn't use > sendmail or bind either. Does that mean we should remove them from > Debian? The syllogism is pretty simple: * Security bugs are release-critical * Release-critical bugs are bugs so severe we'd rather drop the feature, than distribute it with the bug So, the question is "is this really a security bug?". If it is, then it's release critical and the package needs to be fixed/dropped. If it's not, then the severity's wrong. The bugs allow access to a process running as the nobody user, that (apparently) can't write to the filesystem. It can, presumably, use the CPU, allocate memory, and fork. Does that match ``makes ... the whole system break .. or introduces a security hole on systems where you ins tall the package'' ? If so, it should be left as is, and the remark ``In the meantime, exploiting these problems will get you nowhere.'' in the bug log corrected. If not, the bug should be downgraded. If there's no prospect of the bug ever getting fixed, I'd be inclined to remove the package entirely, or at least move it to experimental, where people aren't as likely to stumble across it. > > 119851 followup: NMU needed; should package be marked as orphaned? > I did an NMU. It looks like someone is going to take over gap4. Should > I still orphan it? BTW, the idea here is for you to be making the decisions. If they turn out to be bad ones, we'll fix them up when we go over them on this list. Thus, what you presumably meant to say was "It looks like someone is going to take over gap4, so orphaning doesn't seem necessary." Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``Dear Anthony Towns: [...] Congratulations -- you are now certified as a Red Hat Certified Engineer!''
Attachment:
pgpT3yZTmriJi.pgp
Description: PGP signature