On 27/05/13 18:41, Salvatore Bonaccorso wrote: > Hi Daniel, hi Stuart > > On Mon, Mar 11, 2013 at 11:34:49AM +0100, Raphael Geissert wrote: >> Package: ganglia >> Version: 3.3.8-1 >> Severity: grave >> Tags: security >> Control: clone -1 -2 >> Control: reassign -2 src:ganglia-web 3.5.2-1 >> X-Debbugs-cc: [email protected] >> >> Hi again, >> >> Given the recent issues in Ganglia's web frontend and a review of some >> portions of the code we, as in the security team, have decided to >> limit ganglia's security support to installations behind a trusted >> HTTP zone. >> Any vulnerability that is only relevant when exposing ganglia's web >> frontend to a non-secure zone will therefore be treated as a non-issue >> by the security team. They could still be fixed via a SPU, however. >> >> As such, please add a README.Debian.security file briefly mentioning >> the limited security support, effective for the version in wheezy and >> newer. > > Looks the changes from 3.3.8-1+nmu1 got lost with the recent upload. > Could you please re-add back the debian/README.Debian.security file > describing the limited support? > > See, #702775.
I'd like to understand this a little better Is this a general strategy for multiple PHP packages now, or a special case just for Ganglia? If it's relevant, is the security team aware of the number of public installations that are easily found with a Google search? Sample search query: "ganglia" "cluster report" with the quotes Some are even promoted more publicly: http://ganglia.wikimedia.org/ The recent decision to split the upstream web/ source tree into a standalone source package should ease the process for NMUs, as it means somebody patching the web code doesn't have to worry about the rest of the binary packages, autotools or anything else like that. I realise this doesn't address all your concerns but I hope it is helpful, today's upload is the first upload using the new upstream source layout. Regards, Daniel -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

