Squirrelmail maint+security (Was: Re: FWD: Squirrelmail XSS + SQL security bug?)
On Thu, Jul 22, 2004 at 08:28:23PM +0200, Thijs Kinkhorst wrote:
> Hello People,
> I'm part of the SquirrelMail development team and have assisted Jeroen
> in preparing the recent upload of a new SquirrelMail package.
> Let me comment on some of the issues raised.
> About the SquirrelMail Debian maintainership; this hasn't been up to
> par for the last half year (and before that was also not very active).
> A development version (1.5.0) was added to Debian (why??) and bug
> reports were not attended to, mail was not replied to at all(!).
> Debian should have some kind of mechanism to prevent this from
> happening in the future. Perhaps there should be a policy that each
> package has at least two maintainers? For the SquirrelMail package I'd
> say that Jeroen and Sam become co-maintainers.
For the general case: it's a known problem, and is being discussed.
Solutions are however not very easy.
For the case at hand: I've asked Sam numerous times, and NMU'd, with as
only reaction a quote from db.debian.org at the time he was marked on
vacation. Sam, you're not marked as 'on vacation' anymore, can you
please reply to it? In absence of any real progress in squirrelmail
packaging, I'll still take over the package (and put you as
co-maintainer if you wish so) in about two weeks. The reason why I think
this is important is outlined below.
> About security fixes in the SquirrelMail code; SquirrelMail does not
> (contrary to Roman's standpoint) adhere to a obscurity-policy but in
> stead openly discloses any security fix in our code. In the changelog
> and in the announcement of the recent 1.4.3 release it's clearly
> stated that this closes a security hole. If the Debian project wants
> to we can of course notify them if we patch something but it is
> principally their responsibility to monitor our lists, announcements
> and bugtraq.
Thijs and I agreed that he forwards me any cvs commit messages that
deals with security, I will then verify and file an appropriate bug
report and/or notify the Debian security team.
Security issues are the main reason I think it's important that an
active maintainer exists for squirrelmail, in #257973 for example are
quite some issues that are now next-to-impossible to track down
completely, but if these issues were tracked from the beginning, there
wouldn't have been any problem.
Of course, it's not just for security issues that I believe a maintainer
should actively follow upstream.
> The bottom line is that in my opinion the quality of the Debian
> package "stands or falls" with the activity of the maintainer. Every
> package should have two active maintainers as a rule, not as an
> I hope we can continue the collaboration like Jeroen and I did when
> preparing the recent upload. The close contact between development
> team and Debian maintainer turned out to be very efficient.
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)