[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please remove knowledgetree and slash for security issues

severity 160579 minor

On Mon, Aug 21, 2006 at 04:21:20PM +0200, Thijs Kinkhorst wrote:

> I'd like to request removal of knowledgetree for testing for these
> reasons:
> * Has two security issues;
> * Has an open request for adoption since a couple of months but no takers;
> * Has low popcon numbers;
> * Is a couple of versions behind upstream.
> (See bug #373137)

This package had already been removed from testing.

> Same goes for slash:
> * Has two security issues with no real response for four and one years
>   respectively;
> * Has 4 installs and 3 votes in popcon;
> * Release is years old, upstream develops but is not releasing.
> (See bug #160579)

The maintainer seems to disagree that there's any reason to remove the
package.  The argument for removing it for security reasons isn't strong --
160579 amounts to "a user can do stupid things that will expose his
password, like typing them into the URL bar"; yes, this should be tagged
'security', but the presence of a bug tagged 'security' is not itself a
reason to remove the package from a release when that security hole does not
itself qualify as an RC bug.

The other reasons seem more like a reason to remove the package from the
archive than from the release specifically; please check with -qa if they
would like to have this package removed from unstable over the maintainer's
objections in that case.

In the meantime, I'm downgrading 160579 because I don't see anything in that
report that would justify claiming the package is unreleasable.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: