On Tue, 2006-03-07 at 15:26 +0000, Martin Michlmayr wrote: > * Moritz Muehlenhoff <[EMAIL PROTECTED]> [2006-03-07 16:10]: > > Anthony Towns wrote: > > > There are, for instance, a range of outstanding RC bugs > > > on sudo as a result of the security release for it that need fixing, > > > which aiui aren't being worked on > > > > Bdale said he would prepare a patch, that would add more documentation > > and whitelist some more env vars like DISPLAY or XAUTHORITY. We haven't > > heard from him yet. > > Let's CC him. Bdale, what's the status of this?
Thanks. I'm not caught up on -vote email right now. This whole sudo situation is frustrating to me, because the patch used by the security team for stable is not what I chose to do for unstable, and as the entries in the BTS make clear, the lack of documentation for the behavior change in the security update left many of our users confused and upset. The email exchange I initiated with the security team about the open bugs against sudo eventually led to what I believe is an agreement about what should change for another update of sudo in stable, belief that what we're talking about is in fairly good alignment with what upstream hopes to deliver for his next version, and therefore my agreement that implementing the same behavior for unstable is something I'm willing to do once we have a suitable patch. Frankly, I'm hoping we get a new upstream release in time for etch so that we don't have to ship a sudo that behaves differently from the rest of the world, because more secure or not, being different won't make many users happy. With respect to generating a suitable patch, what I actually said in my last email on the subject dated 16 Feb to Joey, kov, and the security team was: > Who has time to prepare a candidate patch? I am traveling through the > weekend, maybe I will have time next Monday or Tuesday if nobody gets > to it sooner. That got no response, the "maybe" did not happen, and there has been no further email to me that suggested anyone was blocking any other activities waiting for this work, other than the obvious angst of our users who are trying to live with the current version that is reflected in our BTS. I'll put this at the top of my priority list of things to do for Debian, but if someone else has time to create a candidate patch and send it to me while I continue with my paying work for today, that would certainly help and be welcomed! Bdale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
