[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: advice needed on how to proceed

On Jul 30, 2004, at 12:06 PM, Martin-Éric Racine wrote:

(note: I'm not subscribing to this list, please CC me)

Bug#259993 was submitted on one of my package, tagged as a security risk.

Upstream has been quite cooperative in asserting the gravity and is very willing to fix anything that the submitter can demonstrate. The problem is that some of the submitter's claims appear questionable and that he refuses to substanciate.

I'm tempted to tag this as wont-fix, but would like this list's input first.

They seem to be real security issues.

The requester's attitude that his work is done since he's submitted the report is slightly annoying but I can see his perspective.

It's touch to make secure software and it's tougher to be a package maintainer for a piece of software where the upstream author has limited time. In our world of open source that's often the reality.

I see no harm in leaving the bug open or if you do mark it as "won't fix" I would indicate that it is because you aren't the person to fix it and/or can't fix it but don't say there is no security vulnerability.

If I had to spend my efforts on fixing security issues, locally generated ones would be second to network-available exploits. Also, the complexity of these exploits is such that many programs suffer from them and it's a matter of figuring out which ones are important to fix.


  David A. Ulevitch - Founder, EveryDNS.Net
  http://david.ulevitch.com -- http://everydns.net

Reply to: