On 8/29/2013 8:24 AM, Andrew Wood wrote:
On 28/08/13 01:13, Jerry Stuckle wrote:Reading through the bug report, it looks like upstream didn't accept it. Debian stays as close as possible to upstream, for good reason.I agree its good to keep things as close as possible to upstream, but unless upstream can present some compelling argument for why they've chosen to run it as root, surely this would be a good case to deviate? Running a network daemon as root is poor security practice and just plain poor design.
The problem with changing upstream code is it is not a one-shot deal. Changes must be investigated and applied every time a new version comes out, which means someone has to keep track of the changes which were done, and see how they fit into the new code. It can be a very time-consuming job.
Additionally, one needs to investigate other packages which interface to this one, to see how they may be affected. Does anything depend on the operation as documented by upstream? It gets very complicated, very quickly.
You can apply a patch to your own system pretty easily, and back it off if it doesn't work. But changing code for a system like Debian is a whole different story.
If you feel this is such a security exposure (personally, I don't see it as a big exposure), then I suggest you take it up again with upstream.
Jerry