[Pkg-gnutls-maint] Bug triage

James Westby jw+debian at jameswestby.net
Wed Jun 7 18:11:13 UTC 2006

On (07/06/06 19:06), Andreas Metzler wrote:
> On 2006-06-06 James Westby <jw+debian at jameswestby.net> wrote:
> > Hi guys,
> > 352182 - Crash in the ASN.1 DER decoder
> The real *reverse* dependencies of libtasn1 are almost nothing besides
> gnutls:
> (SID)ametzler at argenau:~$ grep-dctrl -FBuild-Depends libtasn1-2 -sPackage /var/lib/apt/lists/ftp.at.debian.org_debian_dists_sid_main_source_Sources
> Package: gnutls11
> Package: shishi
> There are loads of other packages *linking* against libtasn1 but I
> doubt that more than one of these actually use it, they just link
> against a bunch of libraries (including the whole gnutls dependency
> chain) for no reason at all (pkg-config/libtool breakage). Afaiui
> these packages wouldn't inherit the libtasn vulnerability.
> Fixed libtasn1-2 and the current libtasn1-2 are not completely API
> compatible AFAIUI (older gnutls cannot link against it), so it seems
> to be a waste of time to pursue this instead of simply using
> libtasn1-3 in the 4 packages that actually matter.

Thanks for the clarification. I see the reasoning now.

> > 352188 - Crash in the ASN.1 DER decoder
> This package should never been released with sarge:
> we should try to get it removed from there if that is possible.

What is the procedure for doing that?

> > 309111 - [GNUTLS-SA-2005-1] DoS security problem in gnutls <=1.0.24 (and
> > <=1.2.3)
> If you are positive that is fixed please do so, you are the
> maintainer. - Noting done which versions you verified to be fixed in
> the bug-report would be helpful.

I will check for a third time, and then close it.

> > 364287 and 364291 are for upstream. What is the usual way of reporting
> > things to the gnutls developers? Does the mailing list suffice? (I think
> > these two deserve to be normal rather than wishlist as they are features
> > I would expect to be in the program).
> [...]
> I agree that they should be forwarded, however I still think they are
> wishlist requests.

I will have a quick look to see how difficult they are, then forward
them. I'll demote them to wishlist.

> Yes, the mailing list gnutls-dev
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev 
> is the way to go afaik.

Thanks for your advice, hopefully I'll be up to speed soon.


  James Westby
  jw+debian at jameswestby.net

More information about the Pkg-gnutls-maint mailing list