[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: D-Bus security issue

On Thu, 08 Jan 2009 at 19:34:20 +0100, Luk Claes wrote:
> Ok, please upload according to plan.

dbus, consolekit, odccm, pommed and system-tools-backends have been fixed,
and have been unblocked already. The last package on my RC-for-lenny list was

I've just NMU'd smart-notifier, but to be honest I'm not convinced the
package is of release quality; I'm surprised how many misunderstandings and
workarounds will fit in 12K, and rather disappointed that a DD sponsored it
in the first place. Specifically:

* it turns out that any local user could fake a message from smartd; it was 1
  line away from being secure, but the author commented out that line,
  apparently because due to a misunderstanding of D-Bus terminology he
  couldn't get it to work (fixed in my NMU)

* it unconditionally depends on python2.4 and installs version-independent,
  pure-Python library code in a pointlessly version-specific location
  (fixed in my NMU - could be simplified further at the cost of a larger

* zero byte Debian diff (prior to my NMU) while allegedly a non-native package
  (the maintainer, who is also the upstream author, doesn't seem to
  understand the difference between native and non-native; I'm surprised
  the sponsor didn't reject the package and explain the problem)

* the notification window steals focus (I filed a bug), is not resizable
  (bug already exists), and is slightly too small for the text it displays

* I doubt that it complies fully with the Python policy even after my
  NMU, although at this point in the release cycle I don't really care

So I'd be happy with either "unblock smart-notifier/0.28-1.1" or
"remove smart-notifier/0.28-1", whichever the release team think is more
appropriate. The package has about 700 installs and 370 votes in popcon, and
prior to my NMU, it hadn't been touched since before etch.

The NMU diff is attached, or can be viewed in


Attachment: signature.asc
Description: Digital signature

Reply to: