Re: Move proftpd to contrib
I was thinking more that, if we are going to remove a buggy package because of the bugs, we should still provide it, since there are some people that are looking for that package. Maybe a section of main called "buggy" if it's still included for completeness? Dave Bristel On Sat, 18 Sep 1999, Robert Stone wrote: > Date: Sat, 18 Sep 1999 15:49:37 -0700 > From: Robert Stone <[EMAIL PROTECTED]> > To: David Bristel <[EMAIL PROTECTED]> > Cc: debian-devel@lists.debian.org > Subject: Re: Move proftpd to contrib > > On Fri, Sep 17, 1999 at 07:52:24AM -0700, David Bristel wrote: > > Or a new section for packages removed from main due to bugs, but possibly > > still desired by some people? It's safer to have a clear message that > > "Debian considers these packages to contain too many bugs for inclusion in > > the main distribution, but we are aware that there are some who want to > > use these packages anyway." Something like this would eliminate any blame > > if people use those buggy packages, and then have their systems crash or > > go unstable, or get hacked. Any opinions? > > > I would fear it would come across like were pointing fingers at > bad software developers in the community, as though we were putting a > package on probation for being too buggy. I don't think our goal is to > seperate good software from bad software. > It might be within our scope to publish bugs per code lines per > year statistics or other hard number observations to make that decision > easier for others, and possibly avoid dependencies on software that has > too high a ratio of bugs to code lines or some other weighted but > objective comparision. A good bug vector would also give credit to > software more widely deployed (1 in every X persons sees a bug in package > Y every Z months). > Our goal is in a general sense to make free sofware easier to > install, use, and maintain. If that software has problems, it's not > our place to single it out. At most it might be worthwhile to help > identify where more developer effort needs to go, but if we don't have > the resources to devote that effort, it could be harmful to point fingers. > > -Robert >
Re: Move proftpd to contrib
On Sat, Sep 18, 1999 at 10:51:33PM +0200, Marco d'Itri wrote: > On Sep 18, Josip Rodin <[EMAIL PROTECTED]> wrote: > >An alternative is wu-ftpd. It would be rather foolish to support wu-ftpd > >100%, however, it has almost the same status as sendmail - it is a very > You mean that it's like sendmail, i.e. security bugs pops out every time > somebody looks at the code? Not quite. -- enJoy -*/\*- don't even try to pronounce my first name
Re: Move proftpd to contrib
On Sep 18, Josip Rodin <[EMAIL PROTECTED]> wrote: >An alternative is wu-ftpd. It would be rather foolish to support wu-ftpd >100%, however, it has almost the same status as sendmail - it is a very You mean that it's like sendmail, i.e. security bugs pops out every time somebody looks at the code? -- ciao, Marco
Re: Move proftpd to contrib
On Fri, Sep 17, 1999 at 07:52:24AM -0700, David Bristel wrote: > Or a new section for packages removed from main due to bugs, but possibly > still desired by some people? It's safer to have a clear message that > "Debian considers these packages to contain too many bugs for inclusion in > the main distribution, but we are aware that there are some who want to > use these packages anyway." Something like this would eliminate any blame > if people use those buggy packages, and then have their systems crash or > go unstable, or get hacked. Any opinions? > I would fear it would come across like were pointing fingers at bad software developers in the community, as though we were putting a package on probation for being too buggy. I don't think our goal is to seperate good software from bad software. It might be within our scope to publish bugs per code lines per year statistics or other hard number observations to make that decision easier for others, and possibly avoid dependencies on software that has too high a ratio of bugs to code lines or some other weighted but objective comparision. A good bug vector would also give credit to software more widely deployed (1 in every X persons sees a bug in package Y every Z months). Our goal is in a general sense to make free sofware easier to install, use, and maintain. If that software has problems, it's not our place to single it out. At most it might be worthwhile to help identify where more developer effort needs to go, but if we don't have the resources to devote that effort, it could be harmful to point fingers. -Robert
Re: Move proftpd to contrib
On Sat, Sep 18, 1999 at 09:57:44AM +0200, Josip Rodin wrote: > An alternative is wu-ftpd. It would be rather foolish to support wu-ftpd > 100%, however, it has almost the same status as sendmail - it is a very > well tested and greatly improved software, for years now. You're right, it has the same status as sendmail. Overly large, bloated and slow with several other daemons already made that beat it in performance and size by miles. -- Steve C. Lamb | I'm your priest, I'm your shrink, I'm your ICQ: 5107343 | main connection to the switchboard of souls. ---+-
Re: Move proftpd to contrib
On Fri, Sep 17, 1999 at 11:22:59PM +0200, Martin Bialasinski wrote: > Anyway, which ftpd in unstable do you see as the package to promote as > the ftpd of choice in Debian? > > Just to see what our alternatives are. An alternative is wu-ftpd. It would be rather foolish to support wu-ftpd 100%, however, it has almost the same status as sendmail - it is a very well tested and greatly improved software, for years now. -- enJoy -*/\*- don't even try to pronounce my first name
Re: Move proftpd to contrib
On Fri, Sep 17, 1999 at 04:53:43PM +0200, Martin Bialasinski wrote: > * "Hamish" == Hamish Moffatt <[EMAIL PROTECTED]> wrote: > > Hamish> I don't think policy says that contrib is a dumping ground for > Hamish> crap packages. Can you point out which part to me please? > > If you call proftpd crap, how do you call dpkg? Sorry, I didn't mean that proftpd was crap -- I use it myself as it happens. > Please, I am in no part convinced that anything has to be done about > proftpd. Bugs found and fixed means there are people working with the > code. This will just improve its quality. I agree. Hamish -- Hamish Moffatt VK3SB (ex-VK3TYD). CCs of replies from mailing lists are welcome.
Re: Move proftpd to contrib
On Fri, Sep 17, 1999 at 11:22:59PM +0200, Martin Bialasinski wrote: > Anyway, which ftpd in unstable do you see as the package to promote as > the ftpd of choice in Debian? Depending on what your needs are, perhaps roxen. -- Raul
Re: Move proftpd to contrib
* "Joel" == Joel Klecker <[EMAIL PROTECTED]> wrote: Joel> People on linux-security-audit *have* said that about proftpd, Joel> and that was said before the most recent security hole was Joel> discovered. Rather proving them right, wouldn't you say? Well, not really a prove in scientific way. I forsee a new security hole in cron. Anyway, which ftpd in unstable do you see as the package to promote as the ftpd of choice in Debian? Just to see what our alternatives are. Ciao, Martin
Re: Move proftpd to contrib
At 20:45 +0200 1999-09-17, Martin Bialasinski wrote: OK, a bug in cron has recently produced a root exploit. What a crappy software, it should be moved to contrib. There's no evidence that cron has another one just waiting to happen. People on linux-security-audit *have* said that about proftpd, and that was said before the most recent security hole was discovered. Rather proving them right, wouldn't you say? -- Joel Klecker (aka Espy)Debian GNU/Linux Developer mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED]> http://web.espy.org/> http://www.debian.org/>
Re: Move proftpd to contrib
"Chris" == Chris Rutter <[EMAIL PROTECTED]> writes: Chris> And, also, arguably cron is a more important part of a Unix Chris> system than a specific FTP daemon. And I agree that proftpd should be moved to contrib in slink, if not removed entirely -- no one has time to backport the security-fix-of-the-day to a jurassic year-old codebase. However there are no known holes in the potato version, only a questionable coding style. netgod "Hello?" "Hi baybee" "Are you Johnie Ingram?" "For you I'll be anyone" "Ermm.. Do you sell slink CD's?" "I love slinkies"
Re: Move proftpd to contrib
On 17 Sep 1999, Martin Bialasinski wrote: > OK, a bug in cron has recently produced a root exploit. What a crappy > software, it should be moved to contrib. Yes, but there aren't *hundreds* of bugs in cron, all giving security problems; it has been subject (presumably) to security review; bugs don't keep on appearing one after another, like cockroaches, as they do in ProFTPD. Read what SuSE said about ProFTPD, and then see how much of it applies to cron. Not much. And, also, arguably cron is a more important part of a Unix system than a specific FTP daemon. -- Chris <[EMAIL PROTECTED]> ( http://www.fluff.org/chris )
Re: Move proftpd to contrib
* "Joel" == Joel Klecker <[EMAIL PROTECTED]> wrote: Joel> At 16:53 +0200 1999-09-17, Martin Bialasinski wrote: >> If you call proftpd crap, how do you call dpkg? Joel> No bug in dpkg has ever resulted in a a remote root exploit. OK, a bug in cron has recently produced a root exploit. What a crappy software, it should be moved to contrib. No, I still did not hear anything that would justify any action on proftpd. Ciao, Martin
Re: Move proftpd to contrib
At 16:53 +0200 1999-09-17, Martin Bialasinski wrote: * "Hamish" == Hamish Moffatt <[EMAIL PROTECTED]> wrote: Hamish> I don't think policy says that contrib is a dumping ground for Hamish> crap packages. Can you point out which part to me please? If you call proftpd crap, how do you call dpkg? No bug in dpkg has ever resulted in a a remote root exploit. -- Joel Klecker (aka Espy)Debian GNU/Linux Developer mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED]> http://web.espy.org/> http://www.debian.org/>
Re: Move proftpd to contrib
PLEASE reply below the old text, cut unneeded quote, and wrap your lines at 76 characters! On Fri, Sep 17, 1999 at 07:52:24AM -0700, David Bristel wrote: > > > This package has been a major source of serious security bugs and > > > indicatiosn are that it will remain as such. Our Policy states that > > > packages that are not sufficiently free of bugs to meet our standards > > > should not be in main and should be moved to contrib. > > > > The "contrib" section should not be a dumpyard for buggy packages. > > project/experimenal seems to be the right place for those. > > > > The Policy should be changed. BTW there is already a proposal for this, see bug #45318. > Or a new section for packages removed from main due to bugs, but possibly > still desired by some people? It's safer to have a clear message that > "Debian considers these packages to contain too many bugs for inclusion in > the main distribution, but we are aware that there are some who want to > use these packages anyway." Something like this would eliminate any blame > if people use those buggy packages, and then have their systems crash or > go unstable, or get hacked. Any opinions? project/experimental is exactly what you described. -- enJoy -*/\*- don't even try to pronounce my first name
Re: Move proftpd to contrib
* "Hamish" == Hamish Moffatt <[EMAIL PROTECTED]> wrote: Hamish> I don't think policy says that contrib is a dumping ground for Hamish> crap packages. Can you point out which part to me please? If you call proftpd crap, how do you call dpkg? Please, I am in no part convinced that anything has to be done about proftpd. Bugs found and fixed means there are people working with the code. This will just improve its quality. Ciao, Martin
Re: Move proftpd to contrib
Or a new section for packages removed from main due to bugs, but possibly still desired by some people? It's safer to have a clear message that "Debian considers these packages to contain too many bugs for inclusion in the main distribution, but we are aware that there are some who want to use these packages anyway." Something like this would eliminate any blame if people use those buggy packages, and then have their systems crash or go unstable, or get hacked. Any opinions? Dave Bristel On Fri, 17 Sep 1999, Josip Rodin wrote: > Date: Fri, 17 Sep 1999 16:44:46 +0200 > From: Josip Rodin <[EMAIL PROTECTED]> > To: John Goerzen <[EMAIL PROTECTED]> > Cc: debian-devel@lists.debian.org > Subject: Re: Move proftpd to contrib > Resent-Date: 17 Sep 1999 14:45:46 - > Resent-From: debian-devel@lists.debian.org > Resent-cc: recipient list not shown: ; > > On Thu, Sep 16, 1999 at 10:42:36PM -0500, John Goerzen wrote: > > This package has been a major source of serious security bugs and > > indicatiosn are that it will remain as such. Our Policy states that > > packages that are not sufficiently free of bugs to meet our standards > > should not be in main and should be moved to contrib. > > The "contrib" section should not be a dumpyard for buggy packages. > project/experimenal seems to be the right place for those. > > The Policy should be changed. > > -- > enJoy -*/\*- don't even try to pronounce my first name > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Move proftpd to contrib
On Thu, Sep 16, 1999 at 10:42:36PM -0500, John Goerzen wrote: > This package has been a major source of serious security bugs and > indicatiosn are that it will remain as such. Our Policy states that > packages that are not sufficiently free of bugs to meet our standards > should not be in main and should be moved to contrib. The "contrib" section should not be a dumpyard for buggy packages. project/experimenal seems to be the right place for those. The Policy should be changed. -- enJoy -*/\*- don't even try to pronounce my first name
Re: Move proftpd to contrib
On Thu, Sep 16, 1999 at 22:42:36 -0500, John Goerzen wrote: > This package has been a major source of serious security bugs and > indicatiosn are that it will remain as such. SuSE have indicated they're dropping it: http://linuxtoday.com/story.php3?sn=10124 . > Our Policy states that packages that are not sufficiently free of bugs to > meet our standards should not be in main and should be moved to contrib. Note that there is currently a proposal on -policy to remove that part of contrib's description, making licensing terms and dependency on non-free software the only criteria in deciding main/non-free/contrib. Ray -- Obsig: developing a new sig
Re: Move proftpd to contrib
Hamish Moffatt <[EMAIL PROTECTED]> writes: > On Thu, Sep 16, 1999 at 10:42:36PM -0500, John Goerzen wrote: > > This package has been a major source of serious security bugs and > > indicatiosn are that it will remain as such. Our Policy states that > > packages that are not sufficiently free of bugs to meet our standards > > should not be in main and should be moved to contrib. I therefore > > I don't think policy says that contrib is a dumping ground for > crap packages. Can you point out which part to me please? 2.1.3. The contrib section -- Every package in "contrib" must comply with the DFSG. Examples of packages which would be included in "contrib" are * free packages which require "contrib", "non-free", or "non-US" packages or packages which are not in our archive at all for compilation or execution, * wrapper packages or other sorts of free accessories for non-free programs, --->* packages which we don't want to support because they are too ---> buggy, and * packages which fail to meet some other policy requirements in a serious way. - Ruud de Rooij. -- ruud de rooij | [EMAIL PROTECTED] | http://ruud.org
Re: Move proftpd to contrib
On Thu, Sep 16, 1999 at 10:42:36PM -0500, John Goerzen wrote: > This package has been a major source of serious security bugs and > indicatiosn are that it will remain as such. Our Policy states that > packages that are not sufficiently free of bugs to meet our standards > should not be in main and should be moved to contrib. I therefore I don't think policy says that contrib is a dumping ground for crap packages. Can you point out which part to me please? Hamish -- Hamish Moffatt VK3SB (ex-VK3TYD). CCs of replies from mailing lists are welcome.
Re: Move proftpd to contrib
"John" == John Goerzen <[EMAIL PROTECTED]> writes: John> whatever steps necessary to do that. We absolutely cannot John> release a distribution with such a bubbling security hole as John> this. True, but I suggest waiting until freeze time before deciding its worthiness. netgod * SynrG notes that the number of configuration questions to answer in sendmail is NON-TRIVIAL -- Seen on #Debian
Move proftpd to contrib
This package has been a major source of serious security bugs and indicatiosn are that it will remain as such. Our Policy states that packages that are not sufficiently free of bugs to meet our standards should not be in main and should be moved to contrib. I therefore encourage that people involved taked whatever steps necessary to do that. We absolutely cannot release a distribution with such a bubbling security hole as this. -- John
