On Fri, Dec 09, 2016 at 11:58:02AM +0100, Didier 'OdyX' Raboud wrote: > Le vendredi, 9 décembre 2016, 04.55:20 h CET Ron a écrit : > > > If you haven't yet, I urge you to use our standard interface to report > > > such > > > bugs; please make sure issues like this one are public on our bugtracker, > > > with correct found/notfound version markers. > > > > Do you really want entries in the tracker for buggy code that was never > > in Debian, because I nacked Punit uploading things he didn't understand > > with a vague promise to maybe look at them later? > > That code is now in Debian (experimental), so yes, I do expect you to act in > good faith and report bugs you see. You are obviously quite versed in how > 'global' works, and that's undoubtedly valuable to produce the best possible > 'global' package.
No, the code in experimental has that 'fixed', by commenting it out and inviting the user to uncomment it themselves. The context for this, was that was the code which was proposed to be uploaded, and which was last discussed, at the time this was brought to the ctte. It never was uploaded to any suite, just published in collab-maint, and I think Punit provided packages somewhere else. The code in experimental does have some eye raising things in it, but nothing that I've yet traced through as being definitely exploitable. But I also haven't given it a serious audit yet, just eyeballed it quickly for obvious things. > > Now we're talking about what to do among a wider group of people, given > > that it still looks like nothing material will change. The system works? > > It doesn't: it shouldn't take 3 stable releases to get a new upstream release > for a leaf package. There's a difference between blindly uploading a new upstream and actually having a solution to the problem which is the reason that it wasn't. I made that reason very clear, and invited proposed solutions in the original 'new upstream' bug, #574947. Nobody else, except Taisuke and I ever made any effort to deal with that. Taisuke and I both considered the secure use of htags to be an important use case. But given the time that has gone by, and the fact that the upstream code in what is currently in experimental has completely eliminated any possible use from a secure system location now, and how doxygen's seach facility has improved in the last couple of years - my opinion has likewise changed in line with that changed circumstance. But it's taken all of "3 stable releases" for that to actually change ... this wasn't all the case at the time of the freeze for Jessie, or before. I still think it would be rude to burn the remaining users on such short notice - but I don't think we should delay doing that any longer than the end of the Stretch freeze. And if there is sufficient consensus to say "burn them immediately", I've already said I'm ok with that too. But I would want there to be a consensus of people who'd have my back about doing that. Else we just have the same situation as we do now, where people abuse me for not doing exactly what _they_ would have preferred. > > That report led to both me and the reporter having a (very) long > > discussion with upstream about how to resolve the real problem that > > you keep assuming we never tried to do anything about. > > By "(very) long discussion", do you mean these 8 mails ? > > http://lists.gnu.org/archive/html/bug-global/2010-08/threads.html#00006 No. That was one thread of many. But aside from what's also in the BTS, and on -devel (or was it -project?), the vast majority were private emails, and span many years of trying to move this forward one way or another.