[Secure-testing-team] Etch security bug hunting season opened
Moritz Muehlenhoff
jmm at inutil.org
Tue Aug 15 21:58:04 UTC 2006
Neil McGovern wrote:
> > And please also have an eye for packages, which are too buggy to
> > release security-wise. Crap like oftpd, elog or mantis should never
> > have entered the archive at the first glance.
>
> Is it worth subscribing to the wnpp list, and either commenting or
> veto-ing packages?
I'm trying to follow debian-devel and giving advice where possible.
Unfortunately most people just don't care; e.g. I strongly recommended
to dump mantis completely. Still someone NMUed it for some non-DD who'll
most definitely in half a year lose interest like the two previous
maintainers and leave that junk in the archive with the Security Team
needing to support it for two more years. A package with only 35 installed
popcon users and _20_ vulnerabilities since January 2005. Or elog, a
_horribly_ insecure electronic web logbook written in C, which had every
basic security flaw you could ever imagine. The DSA fixed seven CVEs,
at the time of DSA it had six voting popcon users...
It's packages like these which kill the fun out of preparing security
updates for Debian.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list