[Secure-testing-team] sql-ledger in testing

Steffen Joeris steffen.joeris at skolelinux.de
Sun Oct 21 12:04:22 UTC 2007


Hi Raphael

On Sun, 21 Oct 2007 07:38:57 pm Raphael Hertzog wrote:
> Hi Steffen,
>
> On Sun, 21 Oct 2007, Steffen Joeris wrote:
> > I have read up on your discussion with the stable sec team. At the
> > moment, sql-ledger is in testing and from what I have heard it would be
> > possible to package and upload LedgerSMB, which fixes the security
> > issues. Therefore, I would like to remove sql-ledger from testing. For
> > lenny, ledgersmb could be used then. Any objections?
>
> Yes. Until someone has done the job of packaging LedgerSmb I would like to
> keep sql-ledger. Please understand that we're speaking of a financial
> application that companies are using... (mine included).
I totally understand that and I would also want to have other software 
packaged for debian and to be kept there, but unfortunately ...


> Also it won't be trivial to migrate from one to the other, so it's a fair
> bit of work to create the package and offer a sane upgrade path.
>
> We already documented the fact that sql-ledger is not safe to use in a
> untrusted environment.
Well my point is that sql-ledger is in stable (and not security supported), 
which is the way it is. For lenny this should, IMHO, not happen again. I 
personally see it that way:
ledgersmb is the one after sql-ledger and should be the new verison. For this, 
sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it 
the responsibility of the sql-ledger maintainer to care for ledgersmb as a 
lenny version. If that is not the case, then the removal of sql-ledger 
(withough any alternative) should be considered.

Cheers
Steffen

P.S. Raphael please note that this is no personal criticism, you know that I 
am not up for such things. Just my two cents to the sql-ledger security 
debate.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071021/a6a99355/attachment.pgp 


More information about the Secure-testing-team mailing list