On 09/15/2011 02:13 PM, Joerg Jaspert wrote:
A total removal from Debian will not help fixing issues or find
solutions, and keeping it in Experimental sounds like a much much better
solution to me. I will upload a new version to Experimental soon.
Thanks. To make it easy for all of us - can
I really don't want to enter into this deeply or drag a long
discussion. I stated my opinion using my ftpmaster hat, and thats about
it.
I have no interest in digging deeply into this (or other software), nor
do I have the time for it, sorry. For more general topics I suggest
I think that going this way, with RC bugs preventing migration, is a
much more reasonable way to manage the issues.
That depends on the severity of the issues. And on a possible wrong
perception of what unstable actually is.
Wrong: A dumping ground for software, and if it doesn't work out for
Hi,
Thanks for voicing your opinion.
On 09/15/2011 02:15 AM, Joerg Jaspert wrote:
I think that going this way, with RC bugs preventing migration, is a
much more reasonable way to manage the issues.
That depends on the severity of the issues. And on a possible wrong
perception of what
Hi,
After long period of thinking, I still don't agree with the decision to
remove DTC from Debian.
- If you feel DTC is not policy compliant, then I welcome you to fill
bugs, and by the way, you did it already.
- If you feel there's issues with the coding style, then go ahead as
well with the
On Fri, 12 Aug 2011 17:52:59 +0800, Thomas Goirand tho...@goirand.fr wrote:
* This package depends on being able to modify configuration files of
other packages. (see #637501 and the bugs referenced in that bug)
Yes, which is the goal of the software, yes.
If the gaol this software is
On 08/13/2011 12:38 PM, Mike O'Connor wrote:
On Sat, 13 Aug 2011 09:27:18 +0800, Thomas Goirand tho...@goirand.fr wrote:
On 08/13/2011 12:27 AM, Ansgar Burchardt wrote:
* No priviledge separation: everything -- including apache -- runs as
the user dtc which also owns config files for
Thomas Goirand tho...@goirand.fr writes:
On 08/13/2011 12:27 AM, Ansgar Burchardt wrote:
* No parameter binding: all SQL queries are build using string
manipulation; most parameters come directly from $_REQUEST, escaping
(via mysql_real_escape_string) is only done in some places.
No,
Package: ftp.debian.org
Severity: normal
It's a shame having to do this for a package with an active maintainer, but I
strongly feel like dtc should be removed from debian. My reasons for thinking
this:
* It seems like anyone that spends any time looking at this package finds
security bugs.
*
* It seems like anyone that spends any time looking at this package
finds security bugs.
No. Other software in Debian with more severe security record didn't
have such kind of bug open. See for example Samba, bind, and many
others. Or maybe you also want these to be removed from Debian?
This
On Fri, Aug 12, 2011 at 05:52:59PM +0800, Thomas Goirand wrote:
* It seems like anyone that spends any time looking at this package
finds security bugs.
No. Other software in Debian with more severe security record didn't
have such kind of bug open. See for example Samba, bind, and many
On Fri, Aug 12, 2011 at 01:05:38PM +0200, Philipp Kern wrote:
It is shared by a bunch of people, including myself, though. Your
responses to the security bugs were below subpar, to put it mildly.
There's not only lack of common sense in security, there's also
ignorance and offensive
Hi!
Am 12.08.2011 11:52, schrieb Thomas Goirand:
And me, I'm really seriously thinking you don't know how to handle
security issues as well, given the fact that you've open public bugs,
when you should have get in touch with me privately. This shows as well
a big disrespect for what I do, if
On Fri, Aug 12, 2011 at 01:15:34PM +0200, Philipp Kern wrote:
In case that the bug numbers are not obvious: #614302, #614304, #611680,
#414480, #566654.
For RC bugs: #633616. I won't hold any older against you, here.
Other notable bugs (I just looked at dtc-xen's bug list which had some of
Thomas Goirand tho...@goirand.fr wrote:
And me, I'm really seriously thinking you don't know how to handle
security issues as well, given the fact that you've open public bugs,
when you should have get in touch with me privately. This shows as well
a big disrespect for what I do, if opening this
Thomas Goirand tho...@goirand.fr writes:
Now, let me take a step back and try to comment on the big picture.
To make things clear: I do understand that these last MySQL and shell
insertion are really serious issues with grave consequences, and I
agree that some parts of the code is sloppy to
On 08/13/2011 12:27 AM, Ansgar Burchardt wrote:
* No parameter binding: all SQL queries are build using string
manipulation; most parameters come directly from $_REQUEST, escaping
(via mysql_real_escape_string) is only done in some places.
No, you are totally discarding
On Sat, 13 Aug 2011 09:27:18 +0800, Thomas Goirand tho...@goirand.fr wrote:
On 08/13/2011 12:27 AM, Ansgar Burchardt wrote:
* No priviledge separation: everything -- including apache -- runs as
the user dtc which also owns config files for apache, bind and
others. This probably makes
On Fri, 12 Aug 2011 17:52:59 +0800, Thomas Goirand tho...@goirand.fr wrote:
* It seems like anyone that spends any time looking at this package
finds security bugs.
.snip.
This is purely your appreciation and your view on my software, I don't
think this is reality.
I was waiting for
19 matches
Mail list logo