|
Home > Archive > Debian Developers > July 2004 > security related bug report - no maintainer reaction for 1 year
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
security related bug report - no maintainer reaction for 1 year
|
|
| Johannes Poehlmann 2004-07-21, 5:58 pm |
| I am working in the development projekt for the speak-freely package.
(speak-freely.sourceforge.net)
One Year and a day ago, i filed this bug report, saying that
o There are security related bugs in the very outdated debian package
o These bugs are fixed by new upstream sources
o I integrated the sources in the new package and added a link in the
bug report
o Roman Hodek tried to upload the new package as a NMU which
possibly got lost by the server problems or got cancelled
by the maintainer.
I forgot to say that I sent mail to Martin Mitchell before
with no reaction at all. It seems to be a case of undeclared
and de facto retiring of a maintainer.
Needless to say, that i am quite frustrated, but I am still wanting to
see our ACTUAL package inside debian.
Is it the policy of debian, that a non-active maintainer has the right
to block a package as long as he likes ? I think it can not.
I think this should be reason enough to make a second try of a
NMU possible and to orphan the package.
Johannes Pöhlmann
.................................................................
Debian Bug report logs: package speak-freely
Maintainer for speak-freely is Martin Mitchell <martin@debian.org>.
Important bugs - outstanding (1 bug)
* #202244: speak-freely: New Version 7.6a fixes buffer overflows
* and tmp races
Package: speak-freely; Severity: important; Reported by:
Johannes Poehlmann <johannes@lst.de>; Tags: patch,
security; 1 year and 1 day old.
--
To UNSUBSCRIBE, email to debian-qa-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Turbo Fredriksson 2004-07-21, 5:58 pm |
| Quoting Johannes Poehlmann <johannes@lst.de>:
> o These bugs are fixed by new upstream sources
If you want this to be fixed in the woody version (woody is our current
stable) - which is 7.2-1 - you will have to backport the fix(es).
The reason for this is that NO (and I do mean absolutly NO) new code is
allowed in stable. _ONLY_ (!!) the actual bug/security fix (it is scrutinised
very hard!).
> Needless to say, that i am quite frustrated, but I am still wanting to
> see our ACTUAL package inside debian.
Your new version will NEVER end up in woody. Sorry, but that's our policy.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Andrew Suffield 2004-07-21, 5:58 pm |
| On Wed, Jul 21, 2004 at 01:29:04PM +0200, Johannes Poehlmann wrote:
> I am working in the development projekt for the speak-freely package.
> (speak-freely.sourceforge.net)
>
> One Year and a day ago, i filed this bug report, saying that
> o There are security related bugs in the very outdated debian package
> o These bugs are fixed by new upstream sources
> o I integrated the sources in the new package and added a link in the
> bug report
> o Roman Hodek tried to upload the new package as a NMU which
> possibly got lost by the server problems or got cancelled
> by the maintainer.
>
> I forgot to say that I sent mail to Martin Mitchell before
> with no reaction at all. It seems to be a case of undeclared
> and de facto retiring of a maintainer.
Mitchell has been known to be MIA for a long time. All his packages
should have been orphaned some time ago.
In this case, it appears that the package has been dropped from the
distribution entirely (probably because of the security issues), so
there's no bug open about it being orphaned.
You can't NMU it, because there's nothing to NMU. You'd have to upload
it as a new package.
--
.''`. ** Debian GNU/Linux ** | Andrew Suffield
: :' : http://www.debian.org/ |
`. `' |
`- -><- |
| |
| Andreas Barth 2004-07-21, 5:58 pm |
| Hi Johannes,
* Johannes Poehlmann (johannes@lst.de) [040721 14:55]:
> I am working in the development projekt for the speak-freely package.
> (speak-freely.sourceforge.net)
>
> One Year and a day ago, i filed this bug report, saying that
> o There are security related bugs in the very outdated debian package
> o These bugs are fixed by new upstream sources
> o I integrated the sources in the new package and added a link in the
> bug report
> o Roman Hodek tried to upload the new package as a NMU which
> possibly got lost by the server problems or got cancelled
> by the maintainer.
the current status is: This package is only available in woody, the
current stable distribution. So, please feel free to upload it fresh
to unstable if you want (but you'll need a sponsor for this).
For woody (or any stable distribution), things are a bit outdated most
times. That is the reason why it is called stable. If you can provide
the security team with the necessary information about the nature of
the bug, they can do a security upload. Please see
http://www.debian.org/doc/developer...#s-bug-security
for details.
For the other issues how to deal with new packages, please see
http://www.debian.org/doc/debian-policy/ and
http://www.debian.org/doc/developers-reference/ .
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
--
To UNSUBSCRIBE, email to debian-qa-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Frank Lichtenheld 2004-07-21, 5:58 pm |
| On Wed, Jul 21, 2004 at 01:29:04PM +0200, Johannes Poehlmann wrote:
> I am working in the development projekt for the speak-freely package.
> (speak-freely.sourceforge.net)
speak-freely was removed from Debian unstable and its security bugs will
probably not fixed in stable since it is non-free there and thereby not
supported by the security team...
If you want to see the package in Debian, file an ITP or RFP and find a
sponsor or maintainer for it.
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
--
To UNSUBSCRIBE, email to debian-qa-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Martin Michlmayr 2004-07-21, 5:58 pm |
| * Andrew Suffield <asuffield@debian.org> [2004-07-21 14:28]:
> Mitchell has been known to be MIA for a long time. All his packages
> should have been orphaned some time ago.
This has in fact been done a long time ago.
--
Martin Michlmayr
tbm@cyrius.com
--
To UNSUBSCRIBE, email to debian-qa-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Daniel Burrows 2004-07-21, 5:58 pm |
| On Wed, Jul 21, 2004 at 03:54:31PM +0200, Frank Lichtenheld <djpig@debian.org> was heard to say:
> On Wed, Jul 21, 2004 at 01:29:04PM +0200, Johannes Poehlmann wrote:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^[vbcol=seagr
een]
> speak-freely was removed from Debian unstable and its security bugs will
> probably not fixed in stable since it is non-free there and thereby not
^^^^^^^^^^^^^^
> supported by the security team...
Doesn't sourceforge require OSI-approved licenses? I know that OSI is
less picky than Debian, but I think a "no commercial use" license is
unambiguously non-free even by their standards.
Daniel
--
/-------------------- Daniel Burrows <dburrows@debian.org> -------------------\
| "Note that fires are not restricted to dormitories. |
| Indeed, fire can occur in off-campus residences as well." |
| -- Brown university Fire Safety Guide |
\------- Listener-supported public radio -- NPR -- http://www.npr.org --------/
--
To UNSUBSCRIBE, email to debian-qa-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Matt Zimmerman 2004-07-21, 5:58 pm |
| On Wed, Jul 21, 2004 at 01:29:04PM +0200, Johannes Poehlmann wrote:
> I am working in the development projekt for the speak-freely package.
> (speak-freely.sourceforge.net)
>
> One Year and a day ago, i filed this bug report, saying that
> o There are security related bugs in the very outdated debian package
> o These bugs are fixed by new upstream sources
> o I integrated the sources in the new package and added a link in the
> bug report
> o Roman Hodek tried to upload the new package as a NMU which
> possibly got lost by the server problems or got cancelled
> by the maintainer.
Your package is in the non-free archive, which means that:
* It is not part of the Debian system
* It is not supported by the Security Team, who have enough to do in
supporting free software
--
- mdz
--
To UNSUBSCRIBE, email to debian-qa-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Florian Weimer 2004-07-28, 6:23 pm |
| * Turbo Fredriksson:
> Your new version will NEVER end up in woody. Sorry, but that's our
> policy.
Unfortunately, Turbo is right.
Johannes, don't be too worried about this. woody still comes with a
severely broken version of Mozilla, which hasn't been updated for the
same reason.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Matt Zimmerman 2004-07-28, 6:23 pm |
| On Tue, Jul 27, 2004 at 01:02:33AM +0200, Florian Weimer wrote:
> Unfortunately, Turbo is right.
>
> Johannes, don't be too worried about this. woody still comes with a
> severely broken version of Mozilla, which hasn't been updated for the
> same reason.
Why do you insist on repeatedly trolling about this subject, instead of
actually doing something about it?
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Brian Nelson 2004-07-28, 6:23 pm |
| Matt Zimmerman <mdz@debian.org> writes:
> On Tue, Jul 27, 2004 at 01:02:33AM +0200, Florian Weimer wrote:
>
>
> Why do you insist on repeatedly trolling about this subject, instead of
> actually doing something about it?
What can be done about it?
--
You win again, gravity!
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Matt Zimmerman 2004-07-28, 6:23 pm |
| On Mon, Jul 26, 2004 at 07:38:41PM -0700, Brian Nelson wrote:
> Matt Zimmerman <mdz@debian.org> writes:
>
>
> What can be done about it?
Why, fix the bugs, of course. Or even produce a list of the bugs which need
to be fixed.
http://www.debian.org/doc/developer...#s-bug-security
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Martin Schulze 2004-07-28, 6:23 pm |
| Brian Nelson wrote:
> Matt Zimmerman <mdz@debian.org> writes:
>
>
> What can be done about it?
Provice clean and documented patches for each brokeness you find, so
it can be considered for an update (or not).
Regards,
Joey
--
WARNING: Do not execute! This call violates patent DE10108564.
http://www.elug.de/projekte/patent-...ente/DE10108564
wget -O patinfo-`date +"%Y%m%d"`.html http://patinfo.ffii.org/
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Brian Nelson 2004-07-28, 6:23 pm |
| Martin Schulze <joey@infodrom.org> writes:
> Brian Nelson wrote:
>
> Provice clean and documented patches for each brokeness you find, so
> it can be considered for an update (or not).
Like this?
http://www.mozilla.org/projects/sec...rabilities.html
--
You win again, gravity!
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Matt Zimmerman 2004-07-28, 6:23 pm |
| On Tue, Jul 27, 2004 at 10:46:01AM -0700, Brian Nelson wrote:
> Like this?
>
> http://www.mozilla.org/projects/sec...rabilities.html
Yes, that list is an excellent place to start. The next step is to
determine which of those 80 bugs indeed affect woody, and justify a security
update, and how to fix them.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Johannes Poehlmann 2004-07-28, 6:23 pm |
| On Tue, Jul 27, 2004 at 01:02:33AM +0200, Florian Weimer wrote:
> * Turbo Fredriksson:
>
>
> Unfortunately, Turbo is right.
>
> Johannes, don't be too worried about this. woody still comes with a
> severely broken version of Mozilla, which hasn't been updated for the
> same reason.
I have no problem whith the rejection of a new upstream version if
the reason is feature freeze and stability first police in woody.
That seems to be reasonable.
In fact I am looking for a sponsor who brings the new upstream version
into debian unstable.
Johannes
for a sponsor to
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Brian Nelson 2004-07-28, 6:23 pm |
| Matt Zimmerman <mdz@debian.org> writes:
> On Tue, Jul 27, 2004 at 10:46:01AM -0700, Brian Nelson wrote:
>
>
> Yes, that list is an excellent place to start. The next step is to
> determine which of those 80 bugs indeed affect woody, and justify a security
> update, and how to fix them.
Well, up to the November 2003 update, it lists the milestones affected,
and nearly all 63 of those bugs seem to apply to Woody's 1.0 version.
After that, they stopped listing the milestones, probably because it was
too difficult to figure out all the ones affected.
It would be a Herculean task to go through each bug, verify it applies
to Woody, backport the patch required to fix it (if it's even possible
to backport every patch considering how active Mozilla development has
been the past couple years), and come out with something usable. I'm
certainly not about to try it, especially considering how much easier it
would be to just use the latest Mozilla version instead.
--
You win again, gravity!
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Matt Zimmerman 2004-07-28, 6:23 pm |
| On Tue, Jul 27, 2004 at 07:12:12PM -0700, Brian Nelson wrote:
> It would be a Herculean task to go through each bug, verify it applies to
> Woody, backport the patch required to fix it (if it's even possible to
> backport every patch considering how active Mozilla development has been
> the past couple years), and come out with something usable. I'm certainly
> not about to try it, especially considering how much easier it would be to
> just use the latest Mozilla version instead.
It is easier to make declarations than to do the work required, no matter
what approach is taken. Security and stability, on the other hand, are not
easy, and together they are harder still.
Have you tried building Mozilla 1.7.1 on woody recently? I have.
--
- mdz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Mathieu Roy 2004-07-28, 6:23 pm |
| Brian Nelson <pyro@debian.org> wrote:
> Matt Zimmerman <mdz@debian.org> writes:
> Well, up to the November 2003 update, it lists the milestones affected,
> and nearly all 63 of those bugs seem to apply to Woody's 1.0 version.
> After that, they stopped listing the milestones, probably because it was
> too difficult to figure out all the ones affected.
>
> It would be a Herculean task to go through each bug, verify it applies
> to Woody, backport the patch required to fix it (if it's even possible
> to backport every patch considering how active Mozilla development has
> been the past couple years), and come out with something usable. I'm
> certainly not about to try it, especially considering how much easier it
> would be to just use the latest Mozilla version instead.
Is this latest mozilla version available in woody? If not, why still
distributing mozilla in woody if there's no way to provide a decently
secure package?
--
Mathieu Roy
+---------------------------------------------------------------------+
| General Homepage: http://yeupou.coleumes.org/ |
| Computing Homepage: http://alberich.coleumes.org/ |
| Not a native english speaker: |
| http://stock.coleumes.org/doc.php?i.../flawed-english |
+---------------------------------------------------------------------+
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|