[Secure-testing-team] Re: Bug#349261: Bug#342943: only kronolith2 fixed

[Martin Schulze]

Ola Lundqvist wrote:
> > > I haven't managed to find any more bugs relating to this particular
> > > security hole that isn't fixed by the previous patch in this bug
> > > report.  kronolith seems to be fairly badly coded wrt security
> > > issues though. I'd suggest depreciating kronolith1 and forcing
> > > people on to kronolith2, whcih although only a little better, is
> > > actually supported upstream.
> > 
> > The problem is that kronolith2 depends on version 3 of the horde
> > framework (rather than version 2), that the two versions of horde
> > cannot meaningfully cooperate and there are still some horde2
> > applications that have not been ported to horde3. Basically, upstream
> > has abandoned horde2 before they ported all their OWN code to horde3.
> > 
> > So dropping horde2 is a regression, which explains why we haven't done
> > it yet. But I'm toying with the idea, as we cannot meaningfully
> > support it anyway. Ola, your opinion?
> 
> If kronolith1 (named kronolith) can not be fixed, and is not supported
> at all by upstream I think we should drop it.

It seems to be removed already.

Regards,

	Joey

-- 
Everybody talks about it, but nobody does anything about it!  -- Mark Twain

Please always Cc to me when replying to me on the lists.