Re: dcc removal?

To: debian-release@lists.debian.org
Subject: Re: dcc removal?
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 18 Jan 2008 01:47:53 +0100
Message-id: <[🔎] slrnfovtpp.3f2.jmm@inutil.org>
References: <[🔎] 20080117190752.GA2447@ngolde.de>

Nico Golde wrote:
> currently there is one medium severe security issue in the=20
> dcc software (CVE-2007-1047[0]) which is currently unfixed=20
> in all Debian distributions.
>
> I had a private conversation[1] with the upstream author of dcc
> and the result of this was that backporting this fix to the=20
> versions included in Debian is not possible because there=20
> are way too many changes between the version to
> extract the relevant changes from the diff without having a=20
> deep knowledge of what the code does.
>
> So we can't backport a fix and we also don't get patches by=20
> the upstream author.
>
> Considering that this also does have a negative impact on=20
> the DCC network itself, what do you think about removing=20
> this package from stable?

It's my understanding from the conversation with upstream, that the open
security issues is unrelated to the fact that the outdated version
of DCC in Etch causes problems inside the DCC network.

But removal seems still the proper cause of action here.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: dcc removal?
  - From: Nico Golde <debian-release+ml@ngolde.de>

References:
- dcc removal?
  - From: Nico Golde <debian-release+ml@ngolde.de>

Prev by Date: Re: xpdf code security, removal of pdftohtml
Next by Date: Please binNMU kildclient
Previous by thread: dcc removal?
Next by thread: Re: dcc removal?
Index(es):
- Date
- Thread