Bug#891982: xchat: Intent to file removal bug
control: severity -1 important control: clone -1 -2 control: reassign -2 src:hexchat control: retitle -2 hexchat: current upstream maintainer is fixing security bugs without disclosing them, making hexchat completely unsafe for stable releases Hello, (I'm cloning based on the fact that new upstream hexchat maintainer is not disclosing security bugs, see the last line of my answer) (please note, as a *current* maintainer, I think this shouldn't be RC, unless somebody points out *real* issues to the package.) >1. "in the maintainer's opinion, makes the package unsuitable for release" [1] this is a complete non-sense. the Xchat that has been removed is really different from the one that is currently in testing, it has been patched for all the outstanding security vulnerabilities, packaging has been redone mostly from scratch, I fixed a lot of bugs, and added a lot of patches. Sorry, but the previous maintainers filed an RM bug for a package that is completely different from the actual one. >2. "introduces a security hole on systems where you install the packages" [2] pics or didn't happen, you are *all* speculating here. >3. Multiple copies of the same code base [3] I disagree even here, the fork is now a lot different from the original code, even cherry-picking patches is becoming difficult right now, but the codebase of xchat is even smaller (I didn't check this claim). >4. Although not specified in Debian Policy, I believe the Debian >Project generally does not wish to see "unmaintainable" software in >Debian, especially if there are maintainable alternatives. Maintainable, unless you prove me wrong. It had 6 uploads with patches in the last 6 months, I wouldn't say "unmaintainable". (one was done by security team, using my patches to patch stable, so this has been even a good chance to fix older systems) Please, point out real issues, not something "read over the internet". >5. I'm definitely nitpicking here, but the new Debian maintainer did >not completely follow the Developers Reference practice for >re-introducing a package by filing an ITP and CCing debian-devel. [4] >Therefore, in my opinion, the Debian project never collectively agreed >to xchat's reintroduction to Debian. to be honest, this is the real good issue over the whole discussion. I have been asking some friend DDs about this point, and I don't really think we have a good policy for such cases, it would be nice to write one down, because I don't know the policy applies here. >The author posted his opinion to his personal blog and did not >directly start the reddit discussion. Also, that author is the subject >matter expert here and I think we should give due deference to his >understanding of the security issues present in xchat for which he did >not seek CVE designations. he started the reddit discussion, after commenting on another thread, with a completely unrelated topic [1] [1] https://www.reddit.com/r/linux/comments/8158na/appimagehub_crowdsourced_central_appimage/?st=je9p019d=5ecc7dd3 >Yes, I'm well aware of your position since I've read the reddit discussion. >However, your characterization of Debian's practice is inaccurate. For >instance, I'm helping to remove hundreds of packages from Debian right >now. The packages often are maintained more or less in Debian but have >had no upstream development for years. [5] Ok, so what about integrating patches, fixing two more bugs and then releasing a new upstream tarball? would that make you stop asking to remove maintained packages? I don't think this can actually make things better, but meh, I really don't get how this discussion can continue, based only on assumptions, and not facts. (seriously, we have a lot of software, and I'm not contrary on removing old stuff, but *please* point me issues, not speculations). Right now this bug is non-sense. BTW: people had more than "400 comments on reddit" about some well known init system, did you file a removal bug for it too? talking about something is not really. and last thing: if the hexchat maintainer, has fixed security bugs without disclosing them, this would make everybody running stable unsecure by definition. Lets move the discussion also on hexchat then. cheers, Gianfranco
Processed: Re: Bug#891982: xchat: Intent to file removal bug
Processing control commands: > severity -1 important Bug #891982 [src:xchat] xchat: Intent to file removal bug Severity set to 'important' from 'serious' > clone -1 -2 Bug #891982 [src:xchat] xchat: Intent to file removal bug Bug 891982 cloned as bug 892085 > reassign -2 src:hexchat Bug #892085 [src:xchat] xchat: Intent to file removal bug Bug reassigned from package 'src:xchat' to 'src:hexchat'. No longer marked as found in versions xchat/2.8.8-13. Ignoring request to alter fixed versions of bug #892085 to the same values previously set > retitle -2 hexchat: current upstream maintainer is fixing security bugs > without disclosing them, making hexchat completely unsafe for stable releases Bug #892085 [src:hexchat] xchat: Intent to file removal bug Changed Bug title to 'hexchat: current upstream maintainer is fixing security bugs without disclosing them, making hexchat completely unsafe for stable releases' from 'xchat: Intent to file removal bug'. -- 891982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891982 892085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892085 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#891982: xchat: Intent to file removal bug
On Sun, Mar 04, 2018 at 05:50:15PM +0100, John Paul Adrian Glaubitz wrote: > >> I don't think a rant posted on reddit by the author of a fork > >> is justified enough to ask for a package to be removed from > >> the archive. > > > > The author posted his opinion to his personal blog and did not > > directly start the reddit discussion. Also, that author is the subject > > matter expert here and I think we should give due deference to his > > understanding of the security issues present in xchat for which he did > > not seek CVE designations. > > If he is an expert, why didn't he even bother posting a single valid > example where xchat is insecure and posing a risk to its users. > > If there are valid vulnerabilities, it shouldn't a problem to list > them. So in response to this request, I have contacted TingPing regarding his claims, to try and clarify which security issues he has found in XChat during the maintenance of hexchat. He was kind enough to respond with a few examples. He pointed at 4 recent commits fixing remote crashes when connecting to an untrusted IRC server: https://github.com/hexchat/hexchat/commit/f4a592c4f0364d35068bca9f2634946750340356 https://github.com/hexchat/hexchat/commit/a3db4e577307742965f5ba75daf03146164bd211 https://github.com/hexchat/hexchat/commit/6e4fc09ce005db965523ef8930ea51ca429815a2 https://github.com/hexchat/hexchat/commit/f6333b592b0d574d68e96d04a09a6cae956ee6c3 Those have been discovered by fuzzing and are generally not possible to trigger by other users but could be abused by a hostile server to trigger a crash in Xchat. In general, he said that most issues were "mostly" in that domain, but he doesn't exclude crashes triggered by other users which would be more worrisome. I hope this answers the demand of proving the claims of security issues more clearly. Have a nice day! A. signature.asc Description: PGP signature
Bug#891982: xchat: Intent to file removal bug
On 03/04/2018 05:26 PM, Jeremy Bicha wrote: > 1. "in the maintainer's opinion, makes the package unsuitable for release" [1] Didn't you say there is no longer an upstream maintainer? Please note we have had similar cases with other packages where the maintainer of a forked project or the original project was attacking the fork or vice versa. This alone isn't an argument. > 2. "introduces a security hole on systems where you install the packages" [2] That's why I was specifically asking for a particular issue you are seeing with the bug. Again, the maintainer of the fork ranting alone is not a justification enough. > 3. Multiple copies of the same code base [3] There are so many other multiple copies of code in Debian (i.e. xemacs21) that this single leaf package doesn't really make a difference. > 4. Although not specified in Debian Policy, I believe the Debian > Project generally does not wish to see "unmaintainable" software in > Debian, especially if there are maintainable alternatives. I don't see how this package is unmaintainable. Do you think that Gianfranco is not up to the job to take care of a simple package like xchat? Are we now questioning the skills of each other in public? > 5. I'm definitely nitpicking here, but the new Debian maintainer did > not completely follow the Developers Reference practice for > re-introducing a package by filing an ITP and CCing debian-devel. [4] > Therefore, in my opinion, the Debian project never collectively agreed > to xchat's reintroduction to Debian. Yes, you are nitpicking. Because the Debian Project doesn't have to give their consent to let a package in the archive. That's the job of Debian's FTP masters. >> I don't think a rant posted on reddit by the author of a fork >> is justified enough to ask for a package to be removed from >> the archive. > > The author posted his opinion to his personal blog and did not > directly start the reddit discussion. Also, that author is the subject > matter expert here and I think we should give due deference to his > understanding of the security issues present in xchat for which he did > not seek CVE designations. If he is an expert, why didn't he even bother posting a single valid example where xchat is insecure and posing a risk to its users. If there are valid vulnerabilities, it shouldn't a problem to list them. >> As long as there aren't any serious policy or security issues, >> Debian usually doesn't impose any limitations on what packages >> get maintained in the archive and which not. > > Yes, I'm well aware of your position since I've read the reddit discussion. > > However, your characterization of Debian's practice is inaccurate. For > instance, I'm helping to remove hundreds of packages from Debian right > now. The packages often are maintained more or less in Debian but have > had no upstream development for years. [5] Wasn't there recently a discussion on debian-devel that was started that people were complaining about packages getting removed way too quickly? I really don't think that your reasoning is acceptable. None of the the points you mentioned above list actual problems. Both you and the maintainer of the fork fail to list any actual vulnerabilities. And, to be honest, I would find it more constructive to take care of packages like mozjs52 which have are far more important than a leaf package like xchat yet they haven't seen any fixes and uploads for months with bug reports remaining unanswered. Thanks, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Bug#891982: xchat: Intent to file removal bug
On Sun, Mar 4, 2018 at 10:14 AM, John Paul Adrian Glaubitzwrote: > Could you provide any references to bug reports which indicates > that there are problems with the xchat package which make it > unfit for release or violate against any of the points mentioned > in the Debian Policy? 1. "in the maintainer's opinion, makes the package unsuitable for release" [1] 2. "introduces a security hole on systems where you install the packages" [2] 3. Multiple copies of the same code base [3] 4. Although not specified in Debian Policy, I believe the Debian Project generally does not wish to see "unmaintainable" software in Debian, especially if there are maintainable alternatives. 5. I'm definitely nitpicking here, but the new Debian maintainer did not completely follow the Developers Reference practice for re-introducing a package by filing an ITP and CCing debian-devel. [4] Therefore, in my opinion, the Debian project never collectively agreed to xchat's reintroduction to Debian. > I don't think a rant posted on reddit by the author of a fork > is justified enough to ask for a package to be removed from > the archive. The author posted his opinion to his personal blog and did not directly start the reddit discussion. Also, that author is the subject matter expert here and I think we should give due deference to his understanding of the security issues present in xchat for which he did not seek CVE designations. > As long as there aren't any serious policy or security issues, > Debian usually doesn't impose any limitations on what packages > get maintained in the archive and which not. Yes, I'm well aware of your position since I've read the reddit discussion. However, your characterization of Debian's practice is inaccurate. For instance, I'm helping to remove hundreds of packages from Debian right now. The packages often are maintained more or less in Debian but have had no upstream development for years. [5] References -- [1] https://release.debian.org/buster/rc_policy.txt Specifically, Sven Hoexter, as acting Maintainer, made this determination in https://bugs.debian.org/811007 [2] https://release.debian.org/buster/rc_policy.txt [3] Somewhat addressed in Debian Policy § 4.13 and its footnote [4] § 5.9.6 and § 5.9.1 https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#reintroducing-pkgs Which also says "It may indicate that the best way forward is to switch to some other piece of software instead of reintroducing the package. " [5] https://lists.debian.org/debian-devel/2018/02/msg00169.html Thanks, Jeremy Bicha
Bug#891982: xchat: Intent to file removal bug
Package: src:xchat Followup-For: Bug #891982 Hi Jeremy! Could you provide any references to bug reports which indicates that there are problems with the xchat package which make it unfit for release or violate against any of the points mentioned in the Debian Policy? Please note that we have other packages in Debian like xemacs21 or micropolis-activity whose upstream is long dead but where we have compotent maintainers in Debian who are actively taking care of this package. I don't think a rant posted on reddit by the author of a fork is justified enough to ask for a package to be removed from the archive. As long as there aren't any serious policy or security issues, Debian usually doesn't impose any limitations on what packages get maintained in the archive and which not. Thanks, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
Bug#891982: xchat: Intent to file removal bug
For gods sake, please go for it. Thank you very much Cheers Alf
Bug#891982: xchat: Intent to file removal bug
Source: xchat Version: 2.8.8-13 Severity: serious xchat was removed from Debian 2 years ago because "dead upstream; active fork available" [1] The situation has not changed since then. xchat has not had any upstream releases since 2010. Meanwhile, hexchat is under active development. The hexchat developer has recently complained about Debian's re-inclusion of xchat [2] Therefore, I intend to file a removal bug for xchat soon, but I am filing this bug first. Thanks, Jeremy Bicha [1] https://bugs.debian.org/811007 [2] https://tingping.github.io/2018/03/02/when-distros-get-it-wrong.html and the 400+ comments at https://www.reddit.com/r/linux/comments/81gij7/xchat_and_hexchat_when_distributions_get_it_wrong/