Re: Assignments II (2003/04/03)

To: debian-release@lists.debian.org
Subject: Re: Assignments II (2003/04/03)
From: Anthony Towns <aj@azure.humbug.org.au>
Date: Thu, 24 Apr 2003 20:03:39 +1000
Message-id: <20030424100338.GA3609@azure.humbug.org.au>
Mail-followup-to: debian-release@lists.debian.org
In-reply-to: <20030421151849.GA20498@glacier.arctrix.com>
References: <20030421151849.GA20498@glacier.arctrix.com>

On Mon, Apr 21, 2003 at 08:18:50AM -0700, Neil Schemenauer wrote:
> >      80888 followup: work out what to do about this package
> This is the dnrd security bug.  I still don't know what to do about it.
> I don't have time nor do I want to rewrite a piece of software I don't
> use.  The upstream maintainer does not seem to care.  The Debian
> maintainer does not have the experience.  The daemon runs under its own
> UID in a chroot jail so a cracker would have a tough time doing any
> damage.  However, if you are sufficiently paranoid, you would not use
> the package.  Should we remove it?  I'm paranoid but I wouldn't use
> sendmail or bind either.  Does that mean we should remove them from
> Debian?

The syllogism is pretty simple:

	* Security bugs are release-critical
	* Release-critical bugs are bugs so severe we'd rather drop the
	  feature, than distribute it with the bug

So, the question is "is this really a security bug?". If it is, then it's
release critical and the package needs to be fixed/dropped. If it's not,
then the severity's wrong. The bugs allow access to a process running
as the nobody user, that (apparently) can't write to the filesystem. It
can, presumably, use the CPU, allocate memory, and fork. Does that match
``makes ... the whole system break .. or introduces a security hole on
systems where you ins tall the package'' ?

If so, it should be left as is, and the remark ``In the meantime,
exploiting these problems will get you nowhere.'' in the bug log
corrected. If not, the bug should be downgraded.

If there's no prospect of the bug ever getting fixed, I'd be inclined
to remove the package entirely, or at least move it to experimental,
where people aren't as likely to stumble across it.

> >     119851 followup: NMU needed; should package be marked as orphaned?
> I did an NMU.  It looks like someone is going to take over gap4.  Should
> I still orphan it?

BTW, the idea here is for you to be making the decisions. If they turn
out to be bad ones, we'll fix them up when we go over them on this list.

Thus, what you presumably meant to say was "It looks like someone is
going to take over gap4, so orphaning doesn't seem necessary."

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Dear Anthony Towns: [...] Congratulations -- 
        you are now certified as a Red Hat Certified Engineer!''

Attachment: pgpT3yZTmriJi.pgp
Description: PGP signature

Reply to:

References:
- Re: Assignments II (2003/04/03)
  - From: Neil Schemenauer <nas@python.ca>

Prev by Date: Re: Assignments II (2003/04/03)
Next by Date: Assignments III (2003/04/18)
Previous by thread: Re: Assignments II (2003/04/03)
Next by thread: workaround for php3 compilation
Index(es):
- Date
- Thread