On 28/05/13 09:53, Raphael Geissert wrote: > Hi Daniel, > > > Although limiting security support is not something that the team > usually does, Ganglia is not the first package for which this decision > has been made. > It is done after a review of the package and its intended use. > > If you would like to help change the status, please consider reviewing > the code, implement standard web security measures and make sure the > expected use and its requirements are considered also by upstream and > continued during the following releases. >
Hi Raphael, I don't want to question the security team's judgment in this case, I just want to make sure I understand the situation before communicating this upstream Personally, I can't commit to any wholesale refactoring of the Ganglia web code and I don't know if any other upstream developer would make that commitment. However, I will ask for this to be tracked as an upstream issue. Instead of adding the README.Debian.security file proposed in the earlier patch, I could add a README.security file upstream - the security issue is not Debian-specific. However, I will mention in that file that the Debian security team were involved in analyzing the code and a reference to this bug. Regards, Daniel -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

