Hi Moritz, On Fri, Aug 17, 2007 at 10:53:48PM +0200, Moritz Muehlenhoff wrote: > Mark Purcell wrote: > > On Wed, 8 Aug 2007, Lionel Elie Mamane wrote: > > > Yes, but we should still fix that in stable, not only unstable. > > > > Yes I wasn't suggesting that we don't fix it in stable, but rather that a > > fix was available and had been uploaded to Debian (unstable). The BTS > > supports version tracking and even though the bug maybe closed, these > > security issues are still listed as open for asterisk in etch. > > > > Of course if we have a way of testing the fix in unstable is is valid > > that's even better. > > > > Of course fixing the plethora of security fixes against asterisk 1.2 is an > > issue and a fair amount of work. Whilst digium continues to provide > > supported > > releases of 1.2.x with bug fixes, by rights we should be only taking > > the diff's and applying them to debian stable via the debian security team, > > which > > is a job in itself. > > > > We are maintaining uptodate asterisk 1.2 packages built against stable > > (etch) via > > http://buildserver.net, but that is using the latest asterisk 1.2 upstream > > release and isn't a suitable security fix for upload to stable. (but would > > be a lot > > less work and would get the fixes into stable v.quickly) > > > > security team. This is an issue, we (pkg-voip) are aware we are well behind > > the > > curve on this, but were wondering if you have any ideas on a way to better > > manage? > > For Etch we need to bite the bullet and continue to support it (see my > previous > mail to Faidon), but with the current strain of vulnerabilities (19 in 2007 > alone!) > we can't support it for Lenny again. In some cases we need to accept > notoriously > error-prone packages because they are terribly important (like PHP and > Linux), but > we can't do that for Asterisk.
Somewhat I have expected this. So it's good we're discussing this now. ;) To start, yes I feel that backporting fixes is a large burden. We can help, but with this amount of vulnerabilities it's very teadious. So working around it is surely the preferred choice. > For Lenny I see three solutions: (in order of my personal preferrence) > 1. Move it to volatile.debian.org and support it through builds of the > current Digium > maintenance release Definitively good choice. > 2. Drop it from stable and support it out of the archive through builds of > the current > Digium maintenance release May come even a bit handier for the pkg-voip team, as that _could_ mean supporting through pkg-voip.buildserver.net (which is in fact generated with no extra work required from the developers). > 3. For Lenny we'll most likely have a way to flag packages not having > security support > (see #436161). So, it could be included in Lenny w/o security support. > There might > still be use cases, e.g. a company-wide internal PBX. Well, in that case it seems to me as good as just dropping asterisk from Debian which would be an inconvenience to our users. Therefor I'd welcome options 1 or 2. As stated if you agree that 2. solves the problem, I think we can go with that. > Comments? If the rest of pkg-voip developers agrees, i'll just put up a pseudo RC-bug against asterisk to make sure it's not progressing into testing anymore (and therefore not contained in stable release of Lenny and newer). -- Best regards, Kilian
signature.asc
Description: Digital signature
