Pierre Riteau wrote:
> On Wed, Apr 05, 2006 at 11:00:16AM +0200, Moritz Muehlenhoff wrote:
> > x11 isn't setuid at all. -sdl has a strong debconf warning, that setuid
> > root is a risk (I guess it's used for DGA?) and the user can select it.
> > Only svgalib is setuid root, but a system running svgalib apps in the year
> > 2006 is lost security-wise anyway. We should rather get rid of it completely
> > for Etch.
>
> I think it is the opposite. -sdl is not installed setuid root, whereas
> -x11 ask the user if he want to install setuid to use DGA extension.
I might have mixed that up.
> The Debian security FAQ says that non-free is not supported, and I
> understand why. But it also says that if it is fixable, an update can be
> made. There were (a few) non-free security updates in the past.
>
> I see that Bruno is alive :) If he reviews my patch for Sarge and if the
> security buildds have CPU time available, is it possible to release an
> update? I can write a part of the DSA if you want.
We're all quite busy with updates for free packages. I'd recommend
instead to include the update in the r2 Sarge stable update scheduled
for next week. You can contact the stable release managers through
[EMAIL PROTECTED]
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
