Re: intend to hijack GnuPG
On Fri, May 02, 2008 at 04:56:45PM +0200, Thijs Kinkhorst wrote:
> On Sat, April 19, 2008 09:57, Andreas Barth wrote:
> > So, the only on-topic question is: Do we want 1.4.9 in Lenny, and I need
> > to say that I didn't read any convincing argument for that to happen yet.
> > So I don't see release team pressure on uploading a new version.
>
> Judging from the changelog I don't see a reason to push for 1.4.9 now. But
> reviewing the security status of a freshly installed lenny system, I found
> that gpg is still installed setuid root unnecessarily. See #346597 and
> friends.
>
> I think it's important to fix that bug. Reading Lenny RC policy 5(b), I
> think this is release critical although the bug isn't marked as such (let
> me know if you want me to upgrade it). If it helps, Ubuntu has removed the
> setuid bit since Nov 2004.
>
> Therefore I plan to do an NMU soon to fix this bug. Although not
> officially frozen I'd like to have the input of the release team whether
> they think such a change is acceptable at this time. Also Laszlo, if you
> object to such an NMU, please let me know.
An upload fixing bug #346597 looks acceptable.
Cheers
Luk
Reply to: