Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression

To: "Gerfried Fuchs" <rhonda@deb.at>
Cc: debian-security@lists.debian.org, team@security.debian.org
Subject: Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Mon, 15 Nov 2010 13:32:16 +0100
Message-id: <[🔎] 2e592623c05eace4b0807abdc583b770.squirrel@wm.kinkhorst.nl>
In-reply-to: <[🔎] 20101115112410.GA21069@anguilla.debian.or.at>
References: <20101113193728.F1CAB3275F0@morgana.loeki.tv> <[🔎] 20101115112410.GA21069@anguilla.debian.or.at>

Hi Gerfried,

On Mon, November 15, 2010 12:24, Gerfried Fuchs wrote:
>         Hi!
>
> * Thijs Kinkhorst <thijs@debian.org> [2010-11-13 20:37:28 CET]:
>> Since a few months, Microsoft's servers for MSN have changed the
>> protocol,
>> making Pidgin non-functional for use with MSN. It is not feasible to
>> port
>> these changes to the version of Pidgin in Debian Lenny. This update
>> formalises that situation by disabling the protocol in the client. Users
>> of the MSN protocol are advised to use the version of Pidgin in the
>> repositories of www.backports.org.
>
>  There are several things with this that itch me a fair bit: The most
> obvious is that it's now backports.debian.org, not www.backports.org
> anymore, which leaves a skew view on the status of the service.

As the (unquoted part of the) text notes, the paragraph you cite is just a
fascimile from the original advisory text, nothing more. This explains why
recent developments have not been incorporated.

>  Secondly, I can't remember any information exchange between the
> security team and the backporters of the package. Especially in the
> light of the not-too-far-ago thread on debian-devel about the security
> support state on backports where Gilbert left a quite clear opinion (and
> non-disputed by other people of the security team) about the state (or
> rather, non-state) of security support for backports this is also a fair
> bit disturbing.

For this the same goes as for the paragraph above: this relates to
information from the original DSA, so it's not a recent development. The
maintainer of pidgin provided this advice. It seems reasonable to me that
if the maintainer suggests this as an alternative that this can be taken
at face value to be a good idea for our users (i.e.: there's commitment to
maintain at least that package to a serious level in backports). The
advice is clear on the fact that this advice pertains to the pidgin
package specifically.

"Gilbert" is not a part of the security team. I'm unsure why you refer to
him only by his last name.

>  Can we please try to get discussion going on about how to continue from
> here? The above statement in an official DSA sounds like an endorsement
> of using backports by the security team, and I would like to know how we
> can actually improve the situation on that grounds and move forward from
> here.

Such a discussion is good, and I am all for a security supported
backports, but I think it untroubles things if we refrain from relating
them to DSA 2038.

Cheers,
Thijs

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
  - From: Gerfried Fuchs <rhonda@deb.at>

References:
- Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
  - From: Gerfried Fuchs <rhonda@deb.at>

Prev by Date: Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
Next by Date: Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
Previous by thread: Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
Next by thread: Re: [SECURITY] [DSA 2038-3] New pidgin packages fix regression
Index(es):
- Date
- Thread