subject:"Bug#881097\: To be removed from wheezy as well"

Bug#881097: To be removed from wheezy as well

2017-12-21 Thread Chris Lamb

Hi Raphael,

> would still be nice to see what it involves to actually update the
> Packages* files when we want to remove a source package.

Indeed. I had a poke but I'm afraid I'm not terribly «au fait»
with that part of dak and related infrastructure… Thorsten, do
you have any pointers or ideas?


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#881097: To be removed from wheezy as well

2017-12-21 Thread Raphael Hertzog

On Tue, 19 Dec 2017, Emilio Pozuelo Monfort wrote:
> > Chris or Thorsten, could you possibly look into what it involves and see 
> > whether
> > it's doable on the ftpmaster side ?
> 
> Another, easier option would be to declare these packages as unsupported
> security-wise.

I pushed a commit into debian-security-support's git repo for this. But it
would still be nice to see what it involves to actually update the
Packages* files when we want to remove a source package.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#881097: To be removed from wheezy as well

2017-12-19 Thread Emilio Pozuelo Monfort

On 19/12/17 14:01, Raphael Hertzog wrote:
> Hi,
> 
> On Tue, 19 Dec 2017, Salvatore Bonaccorso wrote:
>>> Actually it got removed from wheezy in the mean time. Since it was
>>> marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and 
>>> pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy:
>>>
>>> $ rmadison libnet-ping-external-perl
>>> libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all
>>>
>>> https://tracker.debian.org/pkg/libnet-ping-external-perl
>>
>> But I don't think thas worked as you might have expected, and it's not
>> really gone yet. While the dak rm works, there is no point release
>> mechanism for wheezy (LTS) and you still will find
>> libnet-ping-external-perl in the archive (and on the mirrors), as
>> there was not the usual procedure of removing the package, making a
>> new release, and pushing out the updates to the mirrors.
> 
> Indeed, you are right:
> rhertzog@nas:/srv/debian/mirror/dists/wheezy/main/binary-i386$ zgrep 
> libnet-ping-external-perl Packages.gz
> Package: libnet-ping-external-perl
> Filename: 
> pool/main/libn/libnet-ping-external-perl/libnet-ping-external-perl_0.13-1_all.deb
> 
> The Packages* files have not been updated since June 4th 2016. Only the 
> Release file
> gets regular updates.
> 
> Maybe it's time to see what is required to be able to update wheezy... I don't
> think there's any technical reason behind this behaviour. It's just policy 
> that
> we don't want to touch the Packages* files except during point releases.
> 
> Given the current LTS policies, I believe that we could have unannounced point
> releases that do not increment any version number... as long as we just remove
> some packages.
> 
> Chris or Thorsten, could you possibly look into what it involves and see 
> whether
> it's doable on the ftpmaster side ?

Another, easier option would be to declare these packages as unsupported
security-wise.

Cheers,
Emilio

Bug#881097: To be removed from wheezy as well

2017-12-19 Thread Raphael Hertzog

Hi,

On Tue, 19 Dec 2017, Salvatore Bonaccorso wrote:
> > Actually it got removed from wheezy in the mean time. Since it was
> > marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and 
> > pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy:
> > 
> > $ rmadison libnet-ping-external-perl
> > libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all
> > 
> > https://tracker.debian.org/pkg/libnet-ping-external-perl
> 
> But I don't think thas worked as you might have expected, and it's not
> really gone yet. While the dak rm works, there is no point release
> mechanism for wheezy (LTS) and you still will find
> libnet-ping-external-perl in the archive (and on the mirrors), as
> there was not the usual procedure of removing the package, making a
> new release, and pushing out the updates to the mirrors.

Indeed, you are right:
rhertzog@nas:/srv/debian/mirror/dists/wheezy/main/binary-i386$ zgrep 
libnet-ping-external-perl Packages.gz
Package: libnet-ping-external-perl
Filename: 
pool/main/libn/libnet-ping-external-perl/libnet-ping-external-perl_0.13-1_all.deb

The Packages* files have not been updated since June 4th 2016. Only the Release 
file
gets regular updates.

Maybe it's time to see what is required to be able to update wheezy... I don't
think there's any technical reason behind this behaviour. It's just policy that
we don't want to touch the Packages* files except during point releases.

Given the current LTS policies, I believe that we could have unannounced point
releases that do not increment any version number... as long as we just remove
some packages.

Chris or Thorsten, could you possibly look into what it involves and see whether
it's doable on the ftpmaster side ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#881097: To be removed from wheezy as well

2017-12-19 Thread Salvatore Bonaccorso

Hi!

On Tue, Dec 19, 2017 at 10:01:07AM +0100, Raphael Hertzog wrote:
> Hello,
> 
> On Sun, 17 Dec 2017, Ola Lundqvist wrote:
> > After some more reading I think removing it should be ok anyway. I'll
> > change the wording from "will be removed" to "may be removed" to allow
> > us the freedom to keep it if nobody takes the action to actually
> > remove it.
> 
> Actually it got removed from wheezy in the mean time. Since it was
> marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and 
> pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy:
> 
> $ rmadison libnet-ping-external-perl
> libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all
> 
> https://tracker.debian.org/pkg/libnet-ping-external-perl

But I don't think thas worked as you might have expected, and it's not
really gone yet. While the dak rm works, there is no point release
mechanism for wheezy (LTS) and you still will find
libnet-ping-external-perl in the archive (and on the mirrors), as
there was not the usual procedure of removing the package, making a
new release, and pushing out the updates to the mirrors.

Regards,
Salvatore

Bug#881097: To be removed from wheezy as well

2017-12-19 Thread Chris Lamb

Hi Raphael,


> Actually it got removed from wheezy in the mean time. Since it was
> marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and 
> pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy:
> 
> $ rmadison libnet-ping-external-perl
> libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all

Naturally, let me know if we should be removing anything else. :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#881097: To be removed from wheezy as well

2017-12-19 Thread Raphael Hertzog

Hello,

On Sun, 17 Dec 2017, Ola Lundqvist wrote:
> After some more reading I think removing it should be ok anyway. I'll
> change the wording from "will be removed" to "may be removed" to allow
> us the freedom to keep it if nobody takes the action to actually
> remove it.

Actually it got removed from wheezy in the mean time. Since it was
marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and 
pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy:

$ rmadison libnet-ping-external-perl
libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all

https://tracker.debian.org/pkg/libnet-ping-external-perl

Cheers,

> On 17 December 2017 at 20:28, Ola Lundqvist  wrote:
> > Hi
> >
> > I agree that it may not be the best to remove it then. I suggest we
> > mark it as no-dsa then. Any objections?
> >
> > // Ola
> >
> > On 22 November 2017 at 21:00, Emilio Pozuelo Monfort  
> > wrote:
> >> On 08/11/17 20:19, Ola Lundqvist wrote:
> >>> Hi
> >>>
> >>> Considering that this package is about to be removed from jessie I
> >>> guess it should be removed from wheezy too. How is that done? Should I
> >>> contact the FTP maintainers about it, or do we simply ignore the
> >>> issue?
> >>
> >> We don't have point releases, so I'm not sure we can get a package removed 
> >> at
> >> this stage without extra work by the ftp masters. So our options would be:
> >>
> >> - mark as no-dsa if it's not important enough
> >> - mark as unsupported / end-of-life
> >> - fix it
> >> - get it removed
> >>
> >> The issue seems only exploitable if it's used by a service that is exposed
> >> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at
> >> least one sponsor using that package. So removing it may not be the best 
> >> course
> >> given there is a proposed patch. So I'd go with either no-dsa or fix it,
> >> depending on the assessed importance.
> >>
> >> Cheers,
> >> Emilio
> >
> >
> >
> > --
> >  --- Inguza Technology AB --- MSc in Information Technology 
> > /  o...@inguza.comFolkebogatan 26\
> > |  o...@debian.org   654 68 KARLSTAD|
> > |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
> > \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
> >  ---
> 
> 
> 
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology 
> /  o...@inguza.comFolkebogatan 26\
> |  o...@debian.org   654 68 KARLSTAD|
> |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---
> 

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Bug#881097: To be removed from wheezy as well

2017-12-17 Thread Ola Lundqvist

Hi again

After some more reading I think removing it should be ok anyway. I'll
change the wording from "will be removed" to "may be removed" to allow
us the freedom to keep it if nobody takes the action to actually
remove it.

// Ola

On 17 December 2017 at 20:28, Ola Lundqvist  wrote:
> Hi
>
> I agree that it may not be the best to remove it then. I suggest we
> mark it as no-dsa then. Any objections?
>
> // Ola
>
> On 22 November 2017 at 21:00, Emilio Pozuelo Monfort  wrote:
>> On 08/11/17 20:19, Ola Lundqvist wrote:
>>> Hi
>>>
>>> Considering that this package is about to be removed from jessie I
>>> guess it should be removed from wheezy too. How is that done? Should I
>>> contact the FTP maintainers about it, or do we simply ignore the
>>> issue?
>>
>> We don't have point releases, so I'm not sure we can get a package removed at
>> this stage without extra work by the ftp masters. So our options would be:
>>
>> - mark as no-dsa if it's not important enough
>> - mark as unsupported / end-of-life
>> - fix it
>> - get it removed
>>
>> The issue seems only exploitable if it's used by a service that is exposed
>> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at
>> least one sponsor using that package. So removing it may not be the best 
>> course
>> given there is a proposed patch. So I'd go with either no-dsa or fix it,
>> depending on the assessed importance.
>>
>> Cheers,
>> Emilio
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology 
> /  o...@inguza.comFolkebogatan 26\
> |  o...@debian.org   654 68 KARLSTAD|
> |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Bug#881097: To be removed from wheezy as well

2017-12-17 Thread Ola Lundqvist

Hi

I agree that it may not be the best to remove it then. I suggest we
mark it as no-dsa then. Any objections?

// Ola

On 22 November 2017 at 21:00, Emilio Pozuelo Monfort  wrote:
> On 08/11/17 20:19, Ola Lundqvist wrote:
>> Hi
>>
>> Considering that this package is about to be removed from jessie I
>> guess it should be removed from wheezy too. How is that done? Should I
>> contact the FTP maintainers about it, or do we simply ignore the
>> issue?
>
> We don't have point releases, so I'm not sure we can get a package removed at
> this stage without extra work by the ftp masters. So our options would be:
>
> - mark as no-dsa if it's not important enough
> - mark as unsupported / end-of-life
> - fix it
> - get it removed
>
> The issue seems only exploitable if it's used by a service that is exposed
> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at
> least one sponsor using that package. So removing it may not be the best 
> course
> given there is a proposed patch. So I'd go with either no-dsa or fix it,
> depending on the assessed importance.
>
> Cheers,
> Emilio



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Bug#881097: To be removed from wheezy as well

2017-11-22 Thread tony mancill

On Wed, Nov 22, 2017 at 09:00:59PM +0100, Emilio Pozuelo Monfort wrote:
> On 08/11/17 20:19, Ola Lundqvist wrote:
> > Hi
> > 
> > Considering that this package is about to be removed from jessie I
> > guess it should be removed from wheezy too. How is that done? Should I
> > contact the FTP maintainers about it, or do we simply ignore the
> > issue?
> 
> We don't have point releases, so I'm not sure we can get a package removed at
> this stage without extra work by the ftp masters. So our options would be:
> 
> - mark as no-dsa if it's not important enough
> - mark as unsupported / end-of-life
> - fix it
> - get it removed
> 
> The issue seems only exploitable if it's used by a service that is exposed
> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at
> least one sponsor using that package. So removing it may not be the best 
> course
> given there is a proposed patch. So I'd go with either no-dsa or fix it,
> depending on the assessed importance.

Hi,

My apologies for taking a while to join the thread.  As the most recent
uploader of this package, I feel responsible for helping get it into a
safe state if we opt to keep it.  However, I am not an active user, so
if the package is to remain in Debian, it might be better to transition
it to the Debian Perl Team (assuming that is amenable to the team).

I tend to agree with Emilio that removing it might not be the best
course of action for our users, particularly given that we have a patch
and the popcon [1] is non-zero.  Removing it from the distribution seems
like it merely leaves users with a known vulnerability.  Also, the
package might be used in derivatives.

I agree with Simon that it's a little odd for the patch to bump the
version.  (OTOH, it makes it much easier to differentiate from the
vulnerable 0.15.)  Still, I am inclined to take the patch as a patch
against upstream 0.15 for the upload to unstable and then backport it
for 0.13 for stable and oldstable.  Or perhaps Alexandr Ciornii (on the
cc) would be willing to release 0.16 including the patch.

Thoughts?

Thank you,
tony

[1] https://qa.debian.org/popcon.php?package=libnet-ping-external-perl

signature.asc
Description: PGP signature

Bug#881097: To be removed from wheezy as well

2017-11-22 Thread Emilio Pozuelo Monfort

On 08/11/17 20:19, Ola Lundqvist wrote:
> Hi
> 
> Considering that this package is about to be removed from jessie I
> guess it should be removed from wheezy too. How is that done? Should I
> contact the FTP maintainers about it, or do we simply ignore the
> issue?

We don't have point releases, so I'm not sure we can get a package removed at
this stage without extra work by the ftp masters. So our options would be:

- mark as no-dsa if it's not important enough
- mark as unsupported / end-of-life
- fix it
- get it removed

The issue seems only exploitable if it's used by a service that is exposed
remotely or to other issues... and has no rdeps in wheezy. OTOH there is at
least one sponsor using that package. So removing it may not be the best course
given there is a proposed patch. So I'd go with either no-dsa or fix it,
depending on the assessed importance.

Cheers,
Emilio

Bug#881097: To be removed from wheezy as well

2017-11-08 Thread Ola Lundqvist

Hi

Considering that this package is about to be removed from jessie I
guess it should be removed from wheezy too. How is that done? Should I
contact the FTP maintainers about it, or do we simply ignore the
issue?

For people who wonder what we are discussing it is about CVE-2008-7319

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

Bug#881097: To be removed from wheezy as well

12 matches

Site Navigation

Mail list logo

Footer information