Bug#769705: unblock: pdns-recursor/3.6.2-2
* Jonathan Wiltshire [141116 22:13]: > On Sun, Nov 16, 2014 at 06:00:12PM +0100, Christian Hofstaedtler wrote: > > * Julien Cristau [141116 17:45]: > > > On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote: > > > > pdns-recursor does a check with upstream to see if they think the > > > > version the user is running has a security issue. (This check is > > > > done using DNS and a log message is printed if there are known > > > > issues.) > > > > > > > Calling home sounds like a misfeature... > > > > In general I'd agree with you. > > > > Users can turn this off by setting security-poll-suffix empty, as > > pointed out by the upstream docs. > > > > I think for PowerDNS the home call is warranted, given that... > > > > 1) both pdns-server and -recursor are usually Internet exposed services > > that regularly see abuse (DDoS reflection, regular DoS, ...) > > > > 2) they usually end up being installed and then forgotten until they > > stop working (then somebody may read a log file) > > > > 3) upstream is not some evil enterprise corp, but a pure open source > > company that really tries to tie in and work with downstreams. > > We have a security team for this. Users who want to stay secure should > subscribe to debian-security-announce, and react to DSAs. I think the case here is that some users need more pushing, and people come crying to upstream when they run versions from oldstable. After all, Debian ends support for stable distributions after some time, and "root servers" in some data center farms tend to run way longer than that. > I'd be pretty surprised if I installed pdns-* and found them checking up on > security for me, even if it is mentioned in the upstream docs. After all, > the point of installing from packages is that the maintainer has done the > donkey work of making things work, so I might not even have cause to refer > to them. > > I realise this is done with the best of intentions by upstream, but it > would be better if they worked with the security team and stable release > managers to proactively push updates out to users, instead of relying on > them finding a log snippet. I agree, and I must say that I personally think the Debian packaging (freshness) as well as upstream's (actual and commitment to) help have improved dramatically. > IMO this should be conservative and disabled by default in the package. I disagree based on my view of what software runs (on) the Internet today, and is sending me and others useless, dangerous, and expensive traffic. (I do see the privacy issue here, but it's something different for a server daemon and, say, an office package.) -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- signature.asc Description: Digital signature
Bug#769705: unblock: pdns-recursor/3.6.2-2
On Sun, Nov 16, 2014 at 06:00:12PM +0100, Christian Hofstaedtler wrote: > * Julien Cristau [141116 17:45]: > > On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote: > > > pdns-recursor does a check with upstream to see if they think the > > > version the user is running has a security issue. (This check is > > > done using DNS and a log message is printed if there are known > > > issues.) > > > > > Calling home sounds like a misfeature... > > In general I'd agree with you. > > Users can turn this off by setting security-poll-suffix empty, as > pointed out by the upstream docs. > > I think for PowerDNS the home call is warranted, given that... > > 1) both pdns-server and -recursor are usually Internet exposed services > that regularly see abuse (DDoS reflection, regular DoS, ...) > > 2) they usually end up being installed and then forgotten until they > stop working (then somebody may read a log file) > > 3) upstream is not some evil enterprise corp, but a pure open source > company that really tries to tie in and work with downstreams. We have a security team for this. Users who want to stay secure should subscribe to debian-security-announce, and react to DSAs. I'd be pretty surprised if I installed pdns-* and found them checking up on security for me, even if it is mentioned in the upstream docs. After all, the point of installing from packages is that the maintainer has done the donkey work of making things work, so I might not even have cause to refer to them. I realise this is done with the best of intentions by upstream, but it would be better if they worked with the security team and stable release managers to proactively push updates out to users, instead of relying on them finding a log snippet. IMO this should be conservative and disabled by default in the package. That said, I'm not about to pull pdns from Jessie for it. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 signature.asc Description: Digital signature
Bug#769705: unblock: pdns-recursor/3.6.2-2
* Julien Cristau [141116 17:45]: > On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote: > > pdns-recursor does a check with upstream to see if they think the > > version the user is running has a security issue. (This check is > > done using DNS and a log message is printed if there are known > > issues.) > > > Calling home sounds like a misfeature... In general I'd agree with you. Users can turn this off by setting security-poll-suffix empty, as pointed out by the upstream docs. I think for PowerDNS the home call is warranted, given that... 1) both pdns-server and -recursor are usually Internet exposed services that regularly see abuse (DDoS reflection, regular DoS, ...) 2) they usually end up being installed and then forgotten until they stop working (then somebody may read a log file) 3) upstream is not some evil enterprise corp, but a pure open source company that really tries to tie in and work with downstreams. Cheers, Christian -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- pgpFnTAYHsfTU.pgp Description: PGP signature
Bug#769705: unblock: pdns-recursor/3.6.2-2
On Sun, Nov 16, 2014 at 17:24:02 +0100, Christian Hofstaedtler wrote: > Control: tag -1 - moreinfo > > * Julien Cristau [141116 17:13]: > > > * Set PACKAGEVERSION to identify the packages as coming from Debian > > > for security polling support. This closes #767701 (important) > > > > What makes that bug important? > > pdns-recursor does a check with upstream to see if they think the > version the user is running has a security issue. (This check is > done using DNS and a log message is printed if there are known > issues.) > Calling home sounds like a misfeature... Cheers, Julien signature.asc Description: Digital signature
Processed: Re: Bug#769705: unblock: pdns-recursor/3.6.2-2
Processing control commands: > tag -1 - moreinfo Bug #769705 [release.debian.org] unblock: pdns-recursor/3.6.2-2 Removed tag(s) moreinfo. -- 769705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769705 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b769705.14161550397161.transcr...@bugs.debian.org
Bug#769705: unblock: pdns-recursor/3.6.2-2
Control: tag -1 - moreinfo * Julien Cristau [141116 17:13]: > > * Set PACKAGEVERSION to identify the packages as coming from Debian > > for security polling support. This closes #767701 (important) > > What makes that bug important? pdns-recursor does a check with upstream to see if they think the version the user is running has a security issue. (This check is done using DNS and a log message is printed if there are known issues.) While this works fine with the current version, there's no way the powerdns.com servers can know if this is a Debian version or the vanilla thing. When a security upload happens it'd be useful for that to work, so a 3.6.2-2deb8u1 can be identified and be known as being a fixed version. (Right now, it asks for "3.6.2", not "3.6.2-1.Debian".) Thank you for your consideration, -- ,''`. Christian Hofstaedtler : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `- pgpEQfXYl2tn0.pgp Description: PGP signature
Processed: Re: Bug#769705: unblock: pdns-recursor/3.6.2-2
Processing control commands: > tag -1 moreinfo Bug #769705 [release.debian.org] unblock: pdns-recursor/3.6.2-2 Added tag(s) moreinfo. -- 769705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769705 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b769705.14161543933065.transcr...@bugs.debian.org
Bug#769705: unblock: pdns-recursor/3.6.2-2
Control: tag -1 moreinfo On Sat, Nov 15, 2014 at 18:40:29 +0100, Christian Hofstaedtler wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Dear Release Team, > > pdns-recursor 3.6.2-2 contains only packaging changes, they are: > > * Set PACKAGEVERSION to identify the packages as coming from Debian > for security polling support. This closes #767701 (important) What makes that bug important? Cheers, Julien signature.asc Description: Digital signature
Bug#769705: unblock: pdns-recursor/3.6.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, pdns-recursor 3.6.2-2 contains only packaging changes, they are: * Set PACKAGEVERSION to identify the packages as coming from Debian for security polling support. This closes #767701 (important) * Fix smoke autopkgtest (correct stupid oversight from when the test has been added). * Set Vcs-Git and Vcs-Browser to the "correct" anonscm.d.o values, zapping lintian warnings for that. I'm attaching a debdiff from 3.6.2-1 (in jessie). Please unblock package pdns-recursor: unblock pdns-recursor/3.6.2-2 Thank you, Christian diff -Nru pdns-recursor-3.6.2/debian/changelog pdns-recursor-3.6.2/debian/changelog --- pdns-recursor-3.6.2/debian/changelog 2014-10-30 17:34:48.0 +0100 +++ pdns-recursor-3.6.2/debian/changelog 2014-11-15 18:06:05.0 +0100 @@ -1,3 +1,15 @@ +pdns-recursor (3.6.2-2) unstable; urgency=medium + + * Set package vendor for security status polling. +Requires directly including buildflags.mk so d/rules can modify +CXXFLAGS. (Closes: #767701) + * d/control: Update Vcs-Git and Vcs-Browser + * Fix "smoke" autopkgtest. +The test definition was incorrectly copied from the pdns-server +package. + + -- Christian Hofstaedtler Sat, 15 Nov 2014 17:42:26 +0100 + pdns-recursor (3.6.2-1) unstable; urgency=high * Imported Upstream version 3.6.2, a bugfix release (Closes: #767368) diff -Nru pdns-recursor-3.6.2/debian/control pdns-recursor-3.6.2/debian/control --- pdns-recursor-3.6.2/debian/control 2014-10-30 14:16:26.0 +0100 +++ pdns-recursor-3.6.2/debian/control 2014-11-15 17:28:23.0 +0100 @@ -4,9 +4,9 @@ Standards-Version: 3.9.6 Maintainer: Debian PowerDNS Maintainers Uploaders: Matthijs Möhlmann , Marc Haber , Christian Hofstaedtler -Build-Depends: debhelper (>= 9~), dh-systemd, quilt, dpkg-dev (>= 1.10.17), libboost-dev, libboost-serialization-dev, liblua5.2-dev, pkg-config -Vcs-Git: git://git.debian.org/pkg-pdns/pdns-recursor.git -Vcs-Browser: http://git.debian.org/?p=pkg-pdns/pdns-recursor.git +Build-Depends: debhelper (>= 9~), dh-systemd, quilt, dpkg-dev (>= 1.17.0~), libboost-dev, libboost-serialization-dev, liblua5.2-dev, pkg-config +Vcs-Git: git://anonscm.debian.org/pkg-pdns/pdns-recursor.git +Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-pdns/pdns-recursor.git Homepage: http://www.powerdns.com/ Package: pdns-recursor diff -Nru pdns-recursor-3.6.2/debian/rules pdns-recursor-3.6.2/debian/rules --- pdns-recursor-3.6.2/debian/rules 2014-10-30 14:16:26.0 +0100 +++ pdns-recursor-3.6.2/debian/rules 2014-11-15 17:28:23.0 +0100 @@ -8,6 +8,13 @@ # Enable hardening features for daemons # Note: blhc (build log hardening check) will find these false positivies: CPPFLAGS 2 missing, LDFLAGS 1 missing export DEB_BUILD_MAINT_OPTIONS=hardening=+bindnow,+pie +DPKG_EXPORT_BUILDFLAGS = 1 +# Include buildflags.mk so we can append to the vars it sets. +include /usr/share/dpkg/buildflags.mk + +# Vendor and version (after buildflags.mk so we don't overwrite CXXFLAGS) +version := $(shell dpkg-parsechangelog -SVersion).$(shell dpkg-vendor --query Vendor) +CXXFLAGS += -DPACKAGEVERSION='"$(version)"' # Use new build system %: diff -Nru pdns-recursor-3.6.2/debian/tests/smoke pdns-recursor-3.6.2/debian/tests/smoke --- pdns-recursor-3.6.2/debian/tests/smoke 2014-10-30 14:16:26.0 +0100 +++ pdns-recursor-3.6.2/debian/tests/smoke 2014-11-15 18:06:05.0 +0100 @@ -2,8 +2,8 @@ exec 2>&1 set -ex -cat /etc/powerdns/recursor.conf +auth-zones=example.org=/etc/powerdns/example.org.zone EOF cat