Re: [Secure-testing-commits] r13252 - data
On 11/9/09, Thijs Kinkhorst wrote: > On moandei 9 Novimber 2009, Jakub Wilk wrote: >> NOTE: embeds msgfmt.py script >> - - mailman (embed) >> + - mailman (embed; #555416) > > Although this is installed into the Debian package, it is never used and not > installed into the path. What is the risk here? I can see to removing it in > a > next release purely because it's cruft, but do not see the added value of > putting it on the embedded code copies list. msgfmt.py is currently installed to /usr/lib/mailman, so it very well could lead to a problem if a security issue is discovered. any and all embeds are useful to track in preparation for future security vulnerabilities. additonally, embeds are violations of debian policy, so they should be tracked and fixed. i see no better resource for this than the tracker's existing list. mike -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Re: [Secure-testing-commits] r13252 - data
* Thijs Kinkhorst , 2009-11-09, 20:56: NOTE: embeds msgfmt.py script - - mailman (embed) + - mailman (embed; #555416) Although this is installed into the Debian package, it is never used and not installed into the path. What is the risk here? I can see to removing it in a next release purely because it's cruft, but do not see the added value of putting it on the embedded code copies list. We are already documenting things that are no security risk at all (like stuff fixed way before etch) and I strongly believe that is the right thing to do. The whole point of this file is to make obvious which versions are affected (even if none actually are). That said, this entry should be probably marked as . -- Jakub Wilk signature.asc Description: Digital signature
Re: [Secure-testing-commits] r13252 - data
On moandei 9 Novimber 2009, Jakub Wilk wrote: > NOTE: embeds msgfmt.py script > - - mailman (embed) > + - mailman (embed; #555416) Although this is installed into the Debian package, it is never used and not installed into the path. What is the risk here? I can see to removing it in a next release purely because it's cruft, but do not see the added value of putting it on the embedded code copies list. Thijs signature.asc Description: This is a digitally signed message part.