Re: Debian ships very old software (rplay, paps)

[Vincent Lefevre <vincent@vinc17.net>]

On 2025-10-31 17:03:47 +0100, Nicolas George wrote:
> Vincent Lefevre (HE12025-10-31):
> > You would have seen that there is potential denial of service
> > (process crashes).
> 
> At worst, true. It is a mistake to lump denials of service together with
> real security flaws. For starters, is is possible to deny service by the
> virtue of being bigger than the target, without any flaw in the target.
> 
> > Worse, Fabio Degrigis could trigger a SIGSEGV on a memcpy:
> > 
> >   https://www.openwall.com/lists/oss-security/2025/10/18/4
> > 
> > which would mean a bad pointer or buffer overflow.
> 
> → a crash.

Bad pointers and buffer overflows can have worst effects than just
a crash.

And even if this is just a crash, this can yield data loss.

> > > Almost all software runs on Windows or Macos. So what?
> > Here we're on Debian.
> 
> You have not answered: so what if most software does something? Is it
> supposed to imply that it is a good thing?

Personally, I think that the fact that almost all software
runs on Windows or Macos is a good thing, as long as they
run on Linux too (otherwise I do not care). This means more
users, thus tends to increase the interest and the number of
developers, which benefits all users, including Debian one.

> > This is silly.
> 
> Absolutely not. In terms of security and stability, there is no
> difference between a package that you have not installed because you
> have chosen not to install it and a package that you have not installed
> because it is not available.

The point is that I want to install some package (which would
be perfectly fine without the dependency). Telling me not to
install it is just silly.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)