On Tue, Aug 15, 2006 at 04:55:59PM -0600, dann frazier wrote: > On Tue, Aug 15, 2006 at 11:58:04PM +0200, Moritz Muehlenhoff wrote: > > Neil McGovern wrote: > > > > And please also have an eye for packages, which are too buggy to > > > > release security-wise. Crap like oftpd, elog or mantis should never > > > > have entered the archive at the first glance.
> > > Is it worth subscribing to the wnpp list, and either commenting or > > > veto-ing packages? > > I'm trying to follow debian-devel and giving advice where possible. > > Unfortunately most people just don't care; e.g. I strongly recommended > > to dump mantis completely. Still someone NMUed it for some non-DD who'll > > most definitely in half a year lose interest like the two previous > > maintainers and leave that junk in the archive with the Security Team > > needing to support it for two more years. A package with only 35 installed > > popcon users and _20_ vulnerabilities since January 2005. Or elog, a > > _horribly_ insecure electronic web logbook written in C, which had every > > basic security flaw you could ever imagine. The DSA fixed seven CVEs, > > at the time of DSA it had six voting popcon users... > > It's packages like these which kill the fun out of preparing security > > updates for Debian. > What about filing bugs against ftp.debian.org requesting the removal > of these packages, and asking the release managers to block the etch > release on these bugs? The bugs we block on are those marked in the BTS as RC severity with no "etch-ignore" tag. So if you want to ask us to block on them, set the severity correctly. :) > Or, perhaps file a grave bug against each package stating that it > cannot be security supported and ask the release team to drop it > from etch. Should be serious rather than grave, but yes -- the bugs should be filed against the unreleasable packages, independent of whether you request removal from the archive. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
