Re: util-linux for sarge

To: LaMont Jones <lamont@debian.org>, debian-release@lists.debian.org, e2fsprogs@packages.debian.org
Subject: Re: util-linux for sarge
From: Theodore Ts'o <tytso@mit.edu>
Date: Sun, 27 Mar 2005 16:30:59 -0500
Message-id: <[🔎] 20050327213059.GA14936@thunk.org>
In-reply-to: <[🔎] 20050326163941.GC18472@mmjgroup.com>
References: <[🔎] 20050324015918.GB7776@mmjgroup.com> <[🔎] 20050326011610.GH6434@mauritius.dodds.net> <[🔎] 20050326163941.GC18472@mmjgroup.com>

On Sat, Mar 26, 2005 at 09:39:41AM -0700, LaMont Jones wrote:
> On Fri, Mar 25, 2005 at 05:16:14PM -0800, Steve Langasek wrote:
> > Additional con:
> >  - depends on a newer version of e2fsprogs than we currently have in
> > testing, which requires updating roughly a half dozen frozen libraries
> > Hrm, this looks like a bug in libblkid1 to me, since the shlibs were not
> > updated when the new public functions were added...
> 
> There is a security vulnerability caused by mount using the older
> version of libblkid1, which didn't verify that euid=uid before blindly
> using an environment variable for a file name...

There are also a bunch of core-dumping-or-at-that-level-of-severity
bugs that have been fixed since the prehistoric era (when base was
frozen -- OK, I'm only exagerating a little) in e2fsprogs 1.37.  On my
todo list is to backport only the bugfixes, and submit them for t-p-u,
but I haven't had the time to do that in the past couple of weeks.

There is always going to be this issue, however, of an increasing
number of bugs found in various frozen packages the longer we delay
the release.  So having missed the original message which kicked off
this thread, why do we need to go to a newer version of util-linux, as
opposed to simply forward-porting the fixes?  I've resigned myself to
being forced to do this with e2fsprogs --- why can't util-linux do the
same thing?  

Or put another way, if util-linux should get a pass to upgrade to the
latest version to fix bugs, despite being frozen, why shouldn't
e2fsprogs get the same privilege?  (This is rhetorical, if slightly
unfair, question --- I don't expect an answer.  :-)

						- Ted

P.S.  Note that util-linux doesn't *have* to use the blkid library.
You can disable it, and given that sarge currently doesn't use the
blkid in mount, however inconsistent it may be that fsck and mount use
different code bases to interpret UUID= and LABEL= specifiers in
/etc/fstab (with fsck supporting more filesystems because it uses the
blkid library), we have this misfeature in sarge, and changing it now
is probably too risky.

Reply to:

References:
- util-linux for sarge
  - From: LaMont Jones <lamont@debian.org>
- Re: util-linux for sarge
  - From: Steve Langasek <vorlon@debian.org>
- Re: util-linux for sarge
  - From: LaMont Jones <lamont@debian.org>

Prev by Date: Re: [xml/sgml-pkgs] Too many xerces versions in sarge: can we get rid of some?
Next by Date: Please respond to me, I wish I was with you right now,.,,.crony
Previous by thread: Re: util-linux for sarge
Next by thread: whois, tcp-wrappers
Index(es):
- Date
- Thread