Re: intend to hijack GnuPG

To: "Laszlo Boszormenyi" <gcs@debian.hu>, debian-release@lists.debian.org
Cc: "James Troup" <james@nocrew.org>
Subject: Re: intend to hijack GnuPG
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Fri, 2 May 2008 16:56:45 +0200 (CEST)
Message-id: <[🔎] 4abb7a160a1219993c84c83d01065bda.squirrel@wm.kinkhorst.nl>
In-reply-to: <20080419075744.GY1808@mails.so.argh.org>
References: <1208581566.7235.62.camel@julia.gcs.org.hu> <20080419075744.GY1808@mails.so.argh.org>

Hello Laszlo, release team,

On Sat, April 19, 2008 09:57, Andreas Barth wrote:
> * Laszlo Boszormenyi (gcs@debian.hu) [080419 07:42]:
>
>> I intend to hijack GnuPG[1], but as it builds an udeb and has priority
>> important, I ask if the Release Team allow it.

> So, the only on-topic question is: Do we want 1.4.9 in Lenny, and I need
> to say that I didn't read any convincing argument for that to happen yet.
> So I don't see release team pressure on uploading a new version.

Judging from the changelog I don't see a reason to push for 1.4.9 now. But
reviewing the security status of a freshly installed lenny system, I found
that gpg is still installed setuid root unnecessarily. See #346597 and
friends.

I think it's important to fix that bug. Reading Lenny RC policy 5(b), I
think this is release critical although the bug isn't marked as such (let
me know if you want me to upgrade it). If it helps, Ubuntu has removed the
setuid bit since Nov 2004.

Therefore I plan to do an NMU soon to fix this bug. Although not
officially frozen I'd like to have the input of the release team whether
they think such a change is acceptable at this time. Also Laszlo, if you
object to such an NMU, please let me know.

cheers,
Thijs

Reply to:

Follow-Ups:
- Re: intend to hijack GnuPG
  - From: Luk Claes <luk@debian.org>

Prev by Date: Re: technical britney IRC meeting?
Next by Date: Re: intend to hijack GnuPG
Previous by thread: Re: technical britney IRC meeting?
Next by thread: Re: intend to hijack GnuPG
Index(es):
- Date
- Thread