Hi Markus Good points. Thank you for the advice.
Best regards // Ola On 30 April 2017 at 23:34, Markus Koschany <[email protected]> wrote: > Hi Ola, > > Am 30.04.2017 um 22:00 schrieb Ola Lundqvist: > > Hi Markus > > > > I think we mostly agree on things here. Good to know. > > > > There are some minor comments I have though: > > 1) There are to my knowledge two types of "no-dsa". One "Minor issue > > will be fixed in next point release" and another "Minor issue". I have > > been told that if security team decides for a "minor issue" LTS should > > in most cases do the same. However if it is a "minor issue will be fixed > > in next point release" we should probably fix it as usual. > > I think everyone who triages packages has to make a decision from time > to time. It can be right or wrong. In my opinion we should not blindly > follow "no-dsa" tags from the security team but instead use the > opportunity to doublecheck issues and make up our own mind. Nevertheless > to a very high degree the security team's decisions are reasonable of > course and often when I triage packages I follow Jessie too. > > My point is that "no-dsa" is not final and absolute. If you catch > yourself spending ten hours on a single issue and end up backporting > large portions of the latest upstream release for a no-dsa bug, it might > not really be the best thing to do. But if the fix is straightforward > and manageable and there is even a more serious bug, it shouldn't be > much of an issue to fix the no-dsa bugs as well. Let's face it most of > the Jessie no-dsa CVE won't be fixed in a point release unless we do it > now or in the next LTS. > > > 2) Regarding DoS class. I agree that this can be serious, but to me it > > looks like there are no actual service software that depend on this > > library. Just desktop software. We could however consider custom-built > > software that directly depend on this library. I find that to be a > > rather unlikely situation. Still it can be considered. > > I consider desktop software like scribus or calibre to be valid > consumers of libpodofo and there is even libpodofo-utils which includes > tools to manipulate PDF files. The latter is suitable for use on server > systems. I think we shouldn't discriminate between server and desktop > though. > > > Apart from these comments I agree with you. > > > > One question to you. Will you look further into fixing the rest of the > > problems? In that case I can add the dla-needed.txt file with your name > > on it. :-) > > I have talked to Mattia, the maintainer of libpodofo. He intends to fix > these bugs in unstable and Jessie as well as soon as upstream released > more updates. He will be able to reuse my patches for Jessie. At the > moment I don't intend to assign myself to libpodofo again because > upstream is rather slow with fixing those CVEs. Maybe later but if > someone else wants to work on it now, please go ahead. > > Cheers, > > Markus > > > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
