[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suggestions for packages to force to testing for security fixes

On Sat, Apr 02, 2005 at 01:42:49PM +0300, Riku Voipio wrote:
> On Fri, Apr 01, 2005 at 05:10:05AM -0800, Steve Langasek wrote:
> > > lsh-utils 2.0-1 needed, have 1.4.2-8.2 for CAN-2005-0389
> > > lsh-utils 2.0.1-1 needed, have 1.4.2-8.2 for CAN-2005-0814 
> > > 	(Also has a RC bug though.)

> > yeah, that doesn't sound like a win yet (though it's also built on m68k).

> lsh-utils has following, worrying description:

> --snip--
> Description: Secure Shell v2 (SSH2) protocol server
> ...
>  WARNING: This is a work in progress, and may be totally insecure.
> --snip--

> If the description is not out of date (It hasn't changed since last
> stable), is this really something that should go to sarge?

Surely it was even more of a work in progress when it was allowed into woody
three years ago?  If the security team hasn't asked us yet to drop it from
sarge based on that experience, I don't see any reason to drop it based on a
poorly chosen description.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: