Re: dcc removal?
Nico Golde wrote:
> currently there is one medium severe security issue in the=20
> dcc software (CVE-2007-1047) which is currently unfixed=20
> in all Debian distributions.
> I had a private conversation with the upstream author of dcc
> and the result of this was that backporting this fix to the=20
> versions included in Debian is not possible because there=20
> are way too many changes between the version to
> extract the relevant changes from the diff without having a=20
> deep knowledge of what the code does.
> So we can't backport a fix and we also don't get patches by=20
> the upstream author.
> Considering that this also does have a negative impact on=20
> the DCC network itself, what do you think about removing=20
> this package from stable?
It's my understanding from the conversation with upstream, that the open
security issues is unrelated to the fact that the outdated version
of DCC in Etch causes problems inside the DCC network.
But removal seems still the proper cause of action here.