Re: advice needed on how to proceed
On Jul 30, 2004, at 12:06 PM, Martin-Éric Racine wrote:
(note: I'm not subscribing to this list, please CC me)
Bug#259993 was submitted on one of my package, tagged as a security
risk.
Upstream has been quite cooperative in asserting the gravity and is
very willing
to fix anything that the submitter can demonstrate. The problem is
that some of
the submitter's claims appear questionable and that he refuses to
substanciate.
I'm tempted to tag this as wont-fix, but would like this list's input
first.
They seem to be real security issues.
The requester's attitude that his work is done since he's submitted the
report is slightly annoying but I can see his perspective.
It's touch to make secure software and it's tougher to be a package
maintainer for a piece of software where the upstream author has
limited time. In our world of open source that's often the reality.
I see no harm in leaving the bug open or if you do mark it as "won't
fix" I would indicate that it is because you aren't the person to fix
it and/or can't fix it but don't say there is no security
vulnerability.
If I had to spend my efforts on fixing security issues, locally
generated ones would be second to network-available exploits. Also,
the complexity of these exploits is such that many programs suffer from
them and it's a matter of figuring out which ones are important to fix.
-davidu
----------------------------------------------------
David A. Ulevitch - Founder, EveryDNS.Net
http://david.ulevitch.com -- http://everydns.net
----------------------------------------------------
Reply to: