[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question to all candidates about stable point releases

On Tue, 2006-03-07 at 15:26 +0000, Martin Michlmayr wrote:
> * Moritz Muehlenhoff <jmm@inutil.org> [2006-03-07 16:10]:
> > Anthony Towns wrote:
> > > There are, for instance, a range of outstanding RC bugs
> > > on sudo as a result of the security release for it that need fixing,
> > > which aiui aren't being worked on
> > 
> > Bdale said he would prepare a patch, that would add more documentation
> > and whitelist some more env vars like DISPLAY or XAUTHORITY. We haven't
> > heard from him yet.
> Let's CC him.  Bdale, what's the status of this?

Thanks.  I'm not caught up on -vote email right now.

This whole sudo situation is frustrating to me, because the patch used
by the security team for stable is not what I chose to do for unstable,
and as the entries in the BTS make clear, the lack of documentation for
the behavior change in the security update left many of our users
confused and upset.  

The email exchange I initiated with the security team about the open
bugs against sudo eventually led to what I believe is an agreement about
what should change for another update of sudo in stable, belief that
what we're talking about is in fairly good alignment with what upstream
hopes to deliver for his next version, and therefore my agreement that
implementing the same behavior for unstable is something I'm willing to
do once we have a suitable patch.  Frankly, I'm hoping we get a new
upstream release in time for etch so that we don't have to ship a sudo
that behaves differently from the rest of the world, because more secure
or not, being different won't make many users happy.

With respect to generating a suitable patch, what I actually said in my
last email on the subject dated 16 Feb to Joey, kov, and the security
team was:

> Who has time to prepare a candidate patch?  I am traveling through the
> weekend, maybe I will have time next Monday or Tuesday if nobody gets
> to it sooner.

That got no response, the "maybe" did not happen, and there has been no
further email to me that suggested anyone was blocking any other
activities waiting for this work, other than the obvious angst of our
users who are trying to live with the current version that is reflected
in our BTS.

I'll put this at the top of my priority list of things to do for Debian,
but if someone else has time to create a candidate patch and send it to
me while I continue with my paying work for today, that would certainly
help and be welcomed!


Reply to: