Control: tags -1 moreinfo On Mon, Nov 28, 2016 at 09:36:39PM +0000, Holger Levsen wrote: > Hi,
Honestly, I had some problem replying to this mail as in my head it sounds like an attack which my gut tells me I should pay back in the same coin… so that's like the 4th try in overpowering my gut, which might or might not have worked in the end. > this bug has probably has security implications (though probably only > for low memory systems…) and has been unanswered since 9 years… Details on how that could be a security problem would be interesting. I find that very hard to imagine and actually based decisions on it (see below), so that would really help for the future – but as it stands it sounds to me like a way of forcing attention. > with https://bugs.debian.org/apt-transport-https and with deb.debian.org > since recently supporting https, this bug has become quite visible too… Visible perhaps – I would doubt that – but its not like anyone would care. In the latest thread about https I have repeatedly mentioned that a-t-https needs a lot of work and potentially a dedicated maintainer as its current state is far from ideal and at the same time unlikely to change soon if left to the current APT team alone as the todolist we have is already a bottomless pit so for big features/rewrites we tend to talk years, not months or weeks in the future. The responses were as usual: Non-existent – which isn't exactly helping the cause/motivation. So, the only thing visible is perhaps that nobody actually cares enough to work on it[0] even through there is quite the mob available if you need someone shouting "we want it!". On a only slightly serious note: Then I read that mail the very first thing I was thinking of as a reaction was reassigning to ftpmaster to ROM a-t-https due to unhandled years-old security bugs – just to see what the reaction of the mob would be. Thankfully evil me isn't allowed to play outside of my head so that isn't going to happen. > and it was reported against 0.7.6, is it even still present in todays > unstable (or stable)? Frankly, it wouldn't have killed you looking for yourself, would it? But yes, it exists still today and since the dawn of time. Ironically I stumbled over it shortly before the https thread on d-d@ while working on an acquire feature I wanted to add for stretch and fixed it along with some code reshuffling in that branch. The https thread did derail me in this plan (it also turned out to be harder than I hoped) so that got pushed on the buster-todo instead along with the small memory leak I had already forgotten about again. I guess I can brush that up and merge for stretch later next week or so… I wonder a bit why we haven't stumbled over this bugreport in the mass- triage at DC15, but I can totally see why I haven't seen this report the rest of the time: I don't look at the buglist. I open it once in a month perhaps and search for keywords /after/ fixing something, but I am never looking for something to fix as the influx of new ones is more than enough… Best regards David Kalnischkies [0] Its maintained of course: If there are bugs we might end up fixing them eventually – but its the same with the 600 other bugs in src:apt, so that can take a while; and personally I have no direct use for a-t-https (as I have just recently adopted a-t-tor) and would like to see it rewritten in the longterm, so I am not 'wasting' time on short to midterm features for it at the moment which further lowers the time effectively put into it.
signature.asc
Description: PGP signature