>>>>> "Russ" == Russ Allbery <[EMAIL PROTECTED]> writes:
Russ> Mark Eichin <[EMAIL PROTECTED]> writes: >> Package: krb5-clients Version: 1.4.4-7etch1 Severity: normal >> According to http://web.mit.edu/kerberos/mail-lists.html krb5 >> bugs should be submitted with krb5-send-pr. I suggest either >> actually including it in some package, *or* if you prefer for >> these bugs to go through debian, to have a krb5-send-pr >> installed that says that (or runs reportbug appropriately, or >> something.) (I'd kind of prefer the former, but that may not >> actually be right for the package...) Russ> I think the web page is actually the problem here and should Russ> be fixed, although Sam can speak to this better than I. The Russ> version of send-pr that comes with krb5 has /tmp file Russ> vulnerabilities, so it would need some work before shipping Russ> it with the Debian pacakge (see Bug#278271). Help me understand why you care about /tmp vulnerabilities in krb5-send-pr. It's not an application that you expect to be run in an automated manner and it seems very hard to usefully exploit. Russ> send-pr is partly a left-over from when MIT Kerberos was Russ> using GNATS for bug tracking and they've since switched to Russ> RT. It still works (I think -- I haven't used it in a long Russ> time, and I see a bug was just filed upstream saying it Russ> didn't work properly for at least one person), in that it Russ> creates a bug in RT and does prompt for some useful Russ> information, but my understanding was that most people were Russ> creating bugs these days by just mailing them directly to Russ> the RT address. But maybe the prompting from send-pr is Russ> still useful. I think it is. I think we'd rather people file things with send-pr so fields in the bug get populated and the version reported gets set. However I think that for Debian bugs should go through reportbug. In principle I don't have a problem with adding a krb5-send-pr that suggests reportbug. --Sam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]