On 28/05/13 09:53, Raphael Geissert wrote:
> Hi Daniel,
>
>
> Although limiting security support is not something that the team
> usually does, Ganglia is not the first package for which this decision
> has been made.
> It is done after a review of the package and its intended use.
>
> If you would like to help change the status, please consider reviewing
> the code, implement standard web security measures and make sure the
> expected use and its requirements are considered also by upstream and
> continued during the following releases.
>

Hi Raphael,

I don't want to question the security team's judgment in this case, I
just want to make sure I understand the situation before communicating
this upstream

Personally, I can't commit to any wholesale refactoring of the Ganglia
web code and I don't know if any other upstream developer would make
that commitment.  However, I will ask for this to be tracked as an
upstream issue.

Instead of adding the README.Debian.security file proposed in the
earlier patch, I could add a README.security file upstream - the
security issue is not Debian-specific.  However, I will mention in that
file that the Debian security team were involved in analyzing the code
and a reference to this bug.

Regards,

Daniel


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to