Bug#891982: xchat: Intent to file removal bug

2018-03-05 Thread Gianfranco Costamagna 
control: severity -1 important
control: clone -1 -2
control: reassign -2 src:hexchat
control: retitle -2 hexchat: current upstream maintainer is fixing security 
bugs without disclosing them, making hexchat completely unsafe for stable 
releases

Hello,

(I'm cloning based on the fact that new upstream hexchat maintainer is not 
disclosing security bugs, see the last line of my answer)


(please note, as a *current* maintainer, I think this shouldn't be RC, unless 
somebody points out
*real* issues to the package.)
>1. "in the maintainer's opinion, makes the package unsuitable for release" [1]


this is a complete non-sense.
the Xchat that has been removed is really different from the one that is 
currently in testing, it
has been patched for all the outstanding security vulnerabilities, packaging 
has been redone mostly
from scratch, I fixed a lot of bugs, and added a lot of patches.

Sorry, but the previous maintainers filed an RM bug for a package that is 
completely different from
the actual one.

>2. "introduces a security hole on systems where you install the packages" [2]


pics or didn't happen, you are *all* speculating here.

>3. Multiple copies of the same code base [3]


I disagree even here, the fork is now a lot different from the original code, 
even cherry-picking patches
is becoming difficult right now, but the codebase of xchat is even smaller (I 
didn't check this claim).
>4. Although not specified in Debian Policy, I believe the Debian
>Project generally does not wish to see "unmaintainable" software in
>Debian, especially if there are maintainable alternatives.


Maintainable, unless you prove me wrong.
It had 6 uploads with patches in the last 6 months, I wouldn't say 
"unmaintainable".
(one was done by security team, using my patches to patch stable, so this has 
been even a good chance to fix older systems)

Please, point out real issues, not something "read over the internet".

>5. I'm definitely nitpicking here, but the new Debian maintainer did
>not completely follow the Developers Reference practice for
>re-introducing a package by filing an ITP and CCing debian-devel. [4]
>Therefore, in my opinion, the Debian project never collectively agreed
>to xchat's reintroduction to Debian.


to be honest, this is the real good issue over the whole discussion. I have 
been asking some friend DDs about this point,
and I don't really think we have a good policy for such cases, it would be nice 
to write one down, because I don't know
the policy applies here.
>The author posted his opinion to his personal blog and did not
>directly start the reddit discussion. Also, that author is the subject
>matter expert here and I think we should give due deference to his
>understanding of the security issues present in xchat for which he did
>not seek CVE designations.


he started the reddit discussion, after commenting on another thread, with a 
completely
unrelated topic [1]

[1] 
https://www.reddit.com/r/linux/comments/8158na/appimagehub_crowdsourced_central_appimage/?st=je9p019d=5ecc7dd3

>Yes, I'm well aware of your position since I've read the reddit discussion.
>However, your characterization of Debian's practice is inaccurate. For
>instance, I'm helping to remove hundreds of packages from Debian right
>now. The packages often are maintained more or less in Debian but have

>had no upstream development for years. [5]

Ok, so what about integrating patches, fixing two more bugs and then releasing 
a new upstream tarball?
would that make you stop asking to remove maintained packages?

I don't think this can actually make things better, but meh, I really don't get 
how this
discussion can continue, based only on assumptions, and not facts.
(seriously, we have a lot of software, and I'm not contrary on removing old 
stuff, but *please*
point me issues, not speculations).

Right now this bug is non-sense.

BTW: people had more than "400 comments on reddit" about some well known init 
system, did you file a removal
bug for it too?

talking about something is not really.

and last thing:
if the hexchat maintainer, has fixed security bugs without disclosing them, 
this would make everybody running stable
unsecure by definition. Lets move the discussion also on hexchat then.

cheers,

Gianfranco

Processed: Re: Bug#891982: xchat: Intent to file removal bug

2018-03-05 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 important
Bug #891982 [src:xchat] xchat: Intent to file removal bug
Severity set to 'important' from 'serious'
> clone -1 -2
Bug #891982 [src:xchat] xchat: Intent to file removal bug
Bug 891982 cloned as bug 892085
> reassign -2 src:hexchat
Bug #892085 [src:xchat] xchat: Intent to file removal bug
Bug reassigned from package 'src:xchat' to 'src:hexchat'.
No longer marked as found in versions xchat/2.8.8-13.
Ignoring request to alter fixed versions of bug #892085 to the same values 
previously set
> retitle -2 hexchat: current upstream maintainer is fixing security bugs 
> without disclosing them, making hexchat completely unsafe for stable releases
Bug #892085 [src:hexchat] xchat: Intent to file removal bug
Changed Bug title to 'hexchat: current upstream maintainer is fixing security 
bugs without disclosing them, making hexchat completely unsafe for stable 
releases' from 'xchat: Intent to file removal bug'.

-- 
891982: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891982
892085: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892085
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#891982: xchat: Intent to file removal bug

2018-03-04 Thread Antoine Beaupre 
On Sun, Mar 04, 2018 at 05:50:15PM +0100, John Paul Adrian Glaubitz wrote:
> >> I don't think a rant posted on reddit by the author of a fork
> >> is justified enough to ask for a package to be removed from
> >> the archive.
> > 
> > The author posted his opinion to his personal blog and did not
> > directly start the reddit discussion. Also, that author is the subject
> > matter expert here and I think we should give due deference to his
> > understanding of the security issues present in xchat for which he did
> > not seek CVE designations.
> 
> If he is an expert, why didn't he even bother posting a single valid
> example where xchat is insecure and posing a risk to its users.
> 
> If there are valid vulnerabilities, it shouldn't a problem to list
> them.

So in response to this request, I have contacted TingPing regarding his
claims, to try and clarify which security issues he has found in XChat
during the maintenance of hexchat. He was kind enough to respond
with a few examples.

He pointed at 4 recent commits fixing remote crashes when connecting to
an untrusted IRC server:

https://github.com/hexchat/hexchat/commit/f4a592c4f0364d35068bca9f2634946750340356
https://github.com/hexchat/hexchat/commit/a3db4e577307742965f5ba75daf03146164bd211
https://github.com/hexchat/hexchat/commit/6e4fc09ce005db965523ef8930ea51ca429815a2
https://github.com/hexchat/hexchat/commit/f6333b592b0d574d68e96d04a09a6cae956ee6c3

Those have been discovered by fuzzing and are generally not possible to
trigger by other users but could be abused by a hostile server to
trigger a crash in Xchat. In general, he said that most issues were
"mostly" in that domain, but he doesn't exclude crashes triggered by
other users which would be more worrisome.

I hope this answers the demand of proving the claims of security issues
more clearly.
 
Have a nice day!

A.


signature.asc
Description: PGP signature

Bug#891982: xchat: Intent to file removal bug

2018-03-04 Thread John Paul Adrian Glaubitz 
On 03/04/2018 05:26 PM, Jeremy Bicha wrote:
> 1. "in the maintainer's opinion, makes the package unsuitable for release" [1]

Didn't you say there is no longer an upstream maintainer?

Please note we have had similar cases with other packages where the maintainer
of a forked project or the original project was attacking the fork or vice
versa. This alone isn't an argument.

> 2. "introduces a security hole on systems where you install the packages" [2]

That's why I was specifically asking for a particular issue you are seeing
with the bug. Again, the maintainer of the fork ranting alone is not
a justification enough.

> 3. Multiple copies of the same code base [3]

There are so many other multiple copies of code in Debian (i.e. xemacs21)
that this single leaf package doesn't really make a difference.

> 4. Although not specified in Debian Policy, I believe the Debian
> Project generally does not wish to see "unmaintainable" software in
> Debian, especially if there are maintainable alternatives.

I don't see how this package is unmaintainable. Do you think that
Gianfranco is not up to the job to take care of a simple package like
xchat?

Are we now questioning the skills of each other in public?

> 5. I'm definitely nitpicking here, but the new Debian maintainer did
> not completely follow the Developers Reference practice for
> re-introducing a package by filing an ITP and CCing debian-devel. [4]
> Therefore, in my opinion, the Debian project never collectively agreed
> to xchat's reintroduction to Debian.

Yes, you are nitpicking. Because the Debian Project doesn't have to
give their consent to let a package in the archive. That's the job
of Debian's FTP masters.

>> I don't think a rant posted on reddit by the author of a fork
>> is justified enough to ask for a package to be removed from
>> the archive.
> 
> The author posted his opinion to his personal blog and did not
> directly start the reddit discussion. Also, that author is the subject
> matter expert here and I think we should give due deference to his
> understanding of the security issues present in xchat for which he did
> not seek CVE designations.

If he is an expert, why didn't he even bother posting a single valid
example where xchat is insecure and posing a risk to its users.

If there are valid vulnerabilities, it shouldn't a problem to list
them.

>> As long as there aren't any serious policy or security issues,
>> Debian usually doesn't impose any limitations on what packages
>> get maintained in the archive and which not.
> 
> Yes, I'm well aware of your position since I've read the reddit discussion.
> 
> However, your characterization of Debian's practice is inaccurate. For
> instance, I'm helping to remove hundreds of packages from Debian right
> now. The packages often are maintained more or less in Debian but have
> had no upstream development for years. [5]

Wasn't there recently a discussion on debian-devel that was started
that people were complaining about packages getting removed way too
quickly?

I really don't think that your reasoning is acceptable. None of the
the points you mentioned above list actual problems. Both you and
the maintainer of the fork fail to list any actual vulnerabilities.

And, to be honest, I would find it more constructive to take care
of packages like mozjs52 which have are far more important than
a leaf package like xchat yet they haven't seen any fixes and uploads
for months with bug reports remaining unanswered.

Thanks,
Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#891982: xchat: Intent to file removal bug

2018-03-04 Thread Jeremy Bicha 
On Sun, Mar 4, 2018 at 10:14 AM, John Paul Adrian Glaubitz
 wrote:
> Could you provide any references to bug reports which indicates
> that there are problems with the xchat package which make it
> unfit for release or violate against any of the points mentioned
> in the Debian Policy?

1. "in the maintainer's opinion, makes the package unsuitable for release" [1]

2. "introduces a security hole on systems where you install the packages" [2]

3. Multiple copies of the same code base [3]

4. Although not specified in Debian Policy, I believe the Debian
Project generally does not wish to see "unmaintainable" software in
Debian, especially if there are maintainable alternatives.

5. I'm definitely nitpicking here, but the new Debian maintainer did
not completely follow the Developers Reference practice for
re-introducing a package by filing an ITP and CCing debian-devel. [4]
Therefore, in my opinion, the Debian project never collectively agreed
to xchat's reintroduction to Debian.

> I don't think a rant posted on reddit by the author of a fork
> is justified enough to ask for a package to be removed from
> the archive.

The author posted his opinion to his personal blog and did not
directly start the reddit discussion. Also, that author is the subject
matter expert here and I think we should give due deference to his
understanding of the security issues present in xchat for which he did
not seek CVE designations.

> As long as there aren't any serious policy or security issues,
> Debian usually doesn't impose any limitations on what packages
> get maintained in the archive and which not.

Yes, I'm well aware of your position since I've read the reddit discussion.

However, your characterization of Debian's practice is inaccurate. For
instance, I'm helping to remove hundreds of packages from Debian right
now. The packages often are maintained more or less in Debian but have
had no upstream development for years. [5]


References
--
[1] https://release.debian.org/buster/rc_policy.txt
Specifically, Sven Hoexter, as acting Maintainer, made this
determination in https://bugs.debian.org/811007

[2] https://release.debian.org/buster/rc_policy.txt

[3] Somewhat addressed in Debian Policy § 4.13 and its footnote

[4] § 5.9.6 and § 5.9.1
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#reintroducing-pkgs
Which also says "It may indicate that the best way forward is to
switch to some other piece of software instead of reintroducing the
package. "

[5] https://lists.debian.org/debian-devel/2018/02/msg00169.html

Thanks,
Jeremy Bicha

Bug#891982: xchat: Intent to file removal bug

2018-03-04 Thread John Paul Adrian Glaubitz 
Package: src:xchat
Followup-For: Bug #891982

Hi Jeremy!

Could you provide any references to bug reports which indicates
that there are problems with the xchat package which make it
unfit for release or violate against any of the points mentioned
in the Debian Policy?

Please note that we have other packages in Debian like xemacs21
or micropolis-activity whose upstream is long dead but where we
have compotent maintainers in Debian who are actively taking care
of this package.

I don't think a rant posted on reddit by the author of a fork
is justified enough to ask for a package to be removed from
the archive.

As long as there aren't any serious policy or security issues,
Debian usually doesn't impose any limitations on what packages
get maintained in the archive and which not.

Thanks,
Adrian

--
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Bug#891982: xchat: Intent to file removal bug

2018-03-03 Thread Alf Gaida 
For gods sake, please go for it. Thank you very much

Cheers Alf

Bug#891982: xchat: Intent to file removal bug

2018-03-03 Thread Jeremy Bicha 
Source: xchat
Version: 2.8.8-13
Severity: serious

xchat was removed from Debian 2 years ago because
"dead upstream; active fork available" [1]

The situation has not changed since then. xchat has not had any
upstream releases since 2010.

Meanwhile, hexchat is under active development. The hexchat developer
has recently complained about Debian's re-inclusion of xchat [2]

Therefore, I intend to file a removal bug for xchat soon, but I am
filing this bug first.

Thanks,
Jeremy Bicha

[1] https://bugs.debian.org/811007
[2] https://tingping.github.io/2018/03/02/when-distros-get-it-wrong.html
and the 400+ comments at
https://www.reddit.com/r/linux/comments/81gij7/xchat_and_hexchat_when_distributions_get_it_wrong/