[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Technical committee resolution

On Mon, 31 Mar 2008, Joey Hess wrote:
> By bringing an issue to the tech ctte, both sides of the issue have
> to give up some control, and thus reposibility. So in this case it's
> not just wordpresses's maintenance, but also the security support
> work that the security team would notmally handle (ie, writing DSAs
> and pushing out fixes) that the tech ctte delegate would be
> responsible for.

I agree that the stable security team should no longer be responsible
for the wordpress package,[1] but when the maintainer (who's
responsibility it is anyway) has stepped up and said that they were
going to maintain the packages through a full stable release cycle,
then they have the responsibility to do so.

If that breaks down, members voting for the referrendum should
exercise responsibility instead.

I just disagree with the idea that a TC decision automatically
obsolves all parties (save the TC) to the decision of their
responsibilities.

> FWIW, at least these security holes seem pretty bad:
> 
> CVE-2007-3543, CVE-2007-3544 remote upload and execution of php code
> CVE-2007-4154 7 varieties of SQL injection
> CVE-2008-0196 directory traversal via "..", and arbitrary file modification
> CVE-2007-1599, CVE-2007-3639 redirect authenticated users to other sites
>   and obtain potentially sensative information

Yuck.

On Mon, 31 Mar 2008, Moritz Muehlenhoff wrote:
> Don Armstrong wrote:
> > The package in question, as problematic as it is, has an active
> > maintainer who claimed that he would do exactly this.
> 
> People claim stuff all the time. It's also Neil McGovern who
> promised to do it and never did so. (Which is especially bad since
> at least two people quoted this to be a reason to keep it in their
> vote)

It's not clear to me what sort of guarantee you would require; at some
point it all comes down to people and their commitments. People who
serve on the CTTE as well as people in general can always renege their
commitments. They shouldn't do so, but it happens anyway.


Don Armstrong

1: Though I must admit that it's not clear to me why
http://packages.qa.debian.org/w/wordpress/news/20080306T195216Z.html
hasn't been accepted.
-- 
A citizen of America will cross the ocean to fight for democracy, but
won't cross the street to vote in a national election.
 -- Bill Vaughan

http://www.donarmstrong.com              http://rzlab.ucr.edu
Reply to: