[Secure-testing-team] Re: [debian-audit] Re: Security audit for TorrentFlux

Cameron Dale camrdale at gmail.com
Wed Mar 14 21:31:27 UTC 2007

Stefan Fritsch wrote:
> All open issues are fixed in unstable in 2.1-7, see
> http://security-tracker.debian.net/tracker/source-package/torrentflux
> Some more thoughts:
> - when I looked through it, I found far fewer issues than I expected 
> (though I still think that the code quality is very bad). However, I 
> am also not a PHP expert and would not consider what I did to be a 
> full audit.
> - AFAIR most if not all issues were only for authenticated users, so 
> maybe one could add a note that it should be only used with trusted 
> users. Quake 2 was released with Sarge in this way while having lots 
> of security issues. 
> - in November or so I had a discussion with Micah on IRC and we agreed 
> that we did not see any problems with it being released with etch. I 
> didn't notice the discussion on debian-release, though.

Is there any chance of getting an audit done for this package? As Stefan
mentioned, there are no open security issues in unstable and the package
seems safe. I'm not sure if it's too late to get this into Etch,
considering the recent announcement about the new release timeline. Anyone?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070314/0c081c5e/signature.pgp

More information about the Secure-testing-team mailing list