[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: please remove twiki from lenny

* Dominic Hargreaves <dom@earth.li> [2008-12-21 18:20]:
> On Sun, Dec 21, 2008 at 02:14:45PM +0100, Nico Golde wrote:
> > please remove the twiki package from testing. twiki is a
> > regular candidate for security issues that pop up.
> > Currently it has two security issues unfixed (one[0] enables an
> > attacker to do code execution) and there was lately no
> > progress on fixing the bug. For the other issue[1] there
> > is also hardly any movement.
> > 
> > As we are not even in sync with the upstream versions I
> > doubt we can properly support twiki with security fixes
> > during the lenny lifecycle.
> > 
> > [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508257
> > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508256
> I'm disappointed that the code execution isn't hasn't been addressed (in
> testing or stable) but upstream do provide a trivial patch for the
> version of twiki we have in Debian. If I was to NMU this (I've already
> applied it manually on my system) would this mitigate the need to remove
> twiki? The danger of removing it is that people will then have
> completely unmaintained versions of twiki sitting on their systems.

You are right, the patch for one of the issues is not a big 
deal while the other would involve serious backporting. My 
point is not that this is not fixable but if the 
maintainance situation and the overall security situation of 
twiki is not going to improve it will be a pain to handle 
security issues after lenny, remember we need to support 
this for quite some time.

What about stepping in as a co-maintainer if you really care 
about twiki?


Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgptemxZBQ6C8.pgp
Description: PGP signature

Reply to: