Thanks.

I apologize but I couldn't find where on the mailing list this was discussed so 
I need a little more info to proceed.

* I suspect this is unlikely, but is the "WONTFIX" just for until-linux, so it 
would be possible for Debian to ship these tools in a different package? 

* Or, is the thinking that none of the Debian volunteers is willing to keep 
such crufty code audited and as such the programs are essentially orphaned? 

* Is there some known or suspected attack vector other than through sending 
Esc? If so, it would be good for admins to know to be able to weigh the risks 
of manually installing the programs from source.

* What is Debian's suggestion now for communicating with users who are ssh'ed 
into a system?

Thank you for your time,

--Ben



On November 24, 2024 5:12:39 PM PST, Chris Hofstaedtler <z...@debian.org> wrote:
>Control: tags -1 = wontfix
>
>On Sun, Nov 24, 2024 at 12:02:02PM -0800, Ben Wong wrote:
>> I read that mesg and write were removed recently because "people use
>> more secure methods of chatting nowadays." I am guessing this is
>> related to the recent security problem where Debian defaulted to 'mesg
>> n' and 'write' was not filtering Esc. Simply removing the programs may
>> seem like a fix, but unfortunately it is not so easy.
>
>Removing them is from my POV the right way to go. I somewhat expect
>other mainline distros to do the same, sooner or later.
>
>> These are POSIX.2 shell tools which work universally and it would be a
>> shame if Debian were to be the incompatible UNIX.
>
>POSIX could/should change, I guess.
>
>Chris
>

Reply via email to