>>>>> "Russ" == Russ Allbery <[EMAIL PROTECTED]> writes:
Russ> Mark Eichin <[EMAIL PROTECTED]> writes:
>> Package: krb5-clients Version: 1.4.4-7etch1 Severity: normal
>> According to http://web.mit.edu/kerberos/mail-lists.html krb5
>> bugs should be submitted with krb5-send-pr. I suggest either
>> actually including it in some package, *or* if you prefer for
>> these bugs to go through debian, to have a krb5-send-pr
>> installed that says that (or runs reportbug appropriately, or
>> something.) (I'd kind of prefer the former, but that may not
>> actually be right for the package...)
Russ> I think the web page is actually the problem here and should
Russ> be fixed, although Sam can speak to this better than I. The
Russ> version of send-pr that comes with krb5 has /tmp file
Russ> vulnerabilities, so it would need some work before shipping
Russ> it with the Debian pacakge (see Bug#278271).
Help me understand why you care about /tmp vulnerabilities in
krb5-send-pr. It's not an application that you expect to be run in an
automated manner and it seems very hard to usefully exploit.
Russ> send-pr is partly a left-over from when MIT Kerberos was
Russ> using GNATS for bug tracking and they've since switched to
Russ> RT. It still works (I think -- I haven't used it in a long
Russ> time, and I see a bug was just filed upstream saying it
Russ> didn't work properly for at least one person), in that it
Russ> creates a bug in RT and does prompt for some useful
Russ> information, but my understanding was that most people were
Russ> creating bugs these days by just mailing them directly to
Russ> the RT address. But maybe the prompting from send-pr is
Russ> still useful.
I think it is. I think we'd rather people file things with send-pr so
fields in the bug get populated and the version reported gets set.
However I think that for Debian bugs should go through reportbug.
In principle I don't have a problem with adding a krb5-send-pr that
suggests reportbug.
--Sam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
