Hi, * Dominic Hargreaves <dom@earth.li> [2008-12-21 18:20]: > On Sun, Dec 21, 2008 at 02:14:45PM +0100, Nico Golde wrote: > > please remove the twiki package from testing. twiki is a > > regular candidate for security issues that pop up. > > Currently it has two security issues unfixed (one[0] enables an > > attacker to do code execution) and there was lately no > > progress on fixing the bug. For the other issue[1] there > > is also hardly any movement. > > > > As we are not even in sync with the upstream versions I > > doubt we can properly support twiki with security fixes > > during the lenny lifecycle. > > > > [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508257 > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508256 > > I'm disappointed that the code execution isn't hasn't been addressed (in > testing or stable) but upstream do provide a trivial patch for the > version of twiki we have in Debian. If I was to NMU this (I've already > applied it manually on my system) would this mitigate the need to remove > twiki? The danger of removing it is that people will then have > completely unmaintained versions of twiki sitting on their systems. You are right, the patch for one of the issues is not a big deal while the other would involve serious backporting. My point is not that this is not fixable but if the maintainance situation and the overall security situation of twiki is not going to improve it will be a pain to handle security issues after lenny, remember we need to support this for quite some time. What about stepping in as a co-maintainer if you really care about twiki? Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgp14bEPf6yNW.pgp
Description: PGP signature