Re: intend to hijack GnuPG
Hello Laszlo, release team,
On Sat, April 19, 2008 09:57, Andreas Barth wrote:
> * Laszlo Boszormenyi (firstname.lastname@example.org) [080419 07:42]:
>> I intend to hijack GnuPG, but as it builds an udeb and has priority
>> important, I ask if the Release Team allow it.
> So, the only on-topic question is: Do we want 1.4.9 in Lenny, and I need
> to say that I didn't read any convincing argument for that to happen yet.
> So I don't see release team pressure on uploading a new version.
Judging from the changelog I don't see a reason to push for 1.4.9 now. But
reviewing the security status of a freshly installed lenny system, I found
that gpg is still installed setuid root unnecessarily. See #346597 and
I think it's important to fix that bug. Reading Lenny RC policy 5(b), I
think this is release critical although the bug isn't marked as such (let
me know if you want me to upgrade it). If it helps, Ubuntu has removed the
setuid bit since Nov 2004.
Therefore I plan to do an NMU soon to fix this bug. Although not
officially frozen I'd like to have the input of the release team whether
they think such a change is acceptable at this time. Also Laszlo, if you
object to such an NMU, please let me know.