Bug#881097: To be removed from wheezy as well
Hi Raphael, > would still be nice to see what it involves to actually update the > Packages* files when we want to remove a source package. Indeed. I had a poke but I'm afraid I'm not terribly «au fait» with that part of dak and related infrastructure… Thorsten, do you have any pointers or ideas? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#881097: To be removed from wheezy as well
On Tue, 19 Dec 2017, Emilio Pozuelo Monfort wrote: > > Chris or Thorsten, could you possibly look into what it involves and see > > whether > > it's doable on the ftpmaster side ? > > Another, easier option would be to declare these packages as unsupported > security-wise. I pushed a commit into debian-security-support's git repo for this. But it would still be nice to see what it involves to actually update the Packages* files when we want to remove a source package. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#881097: To be removed from wheezy as well
On 19/12/17 14:01, Raphael Hertzog wrote: > Hi, > > On Tue, 19 Dec 2017, Salvatore Bonaccorso wrote: >>> Actually it got removed from wheezy in the mean time. Since it was >>> marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and >>> pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy: >>> >>> $ rmadison libnet-ping-external-perl >>> libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all >>> >>> https://tracker.debian.org/pkg/libnet-ping-external-perl >> >> But I don't think thas worked as you might have expected, and it's not >> really gone yet. While the dak rm works, there is no point release >> mechanism for wheezy (LTS) and you still will find >> libnet-ping-external-perl in the archive (and on the mirrors), as >> there was not the usual procedure of removing the package, making a >> new release, and pushing out the updates to the mirrors. > > Indeed, you are right: > rhertzog@nas:/srv/debian/mirror/dists/wheezy/main/binary-i386$ zgrep > libnet-ping-external-perl Packages.gz > Package: libnet-ping-external-perl > Filename: > pool/main/libn/libnet-ping-external-perl/libnet-ping-external-perl_0.13-1_all.deb > > The Packages* files have not been updated since June 4th 2016. Only the > Release file > gets regular updates. > > Maybe it's time to see what is required to be able to update wheezy... I don't > think there's any technical reason behind this behaviour. It's just policy > that > we don't want to touch the Packages* files except during point releases. > > Given the current LTS policies, I believe that we could have unannounced point > releases that do not increment any version number... as long as we just remove > some packages. > > Chris or Thorsten, could you possibly look into what it involves and see > whether > it's doable on the ftpmaster side ? Another, easier option would be to declare these packages as unsupported security-wise. Cheers, Emilio
Bug#881097: To be removed from wheezy as well
Hi, On Tue, 19 Dec 2017, Salvatore Bonaccorso wrote: > > Actually it got removed from wheezy in the mean time. Since it was > > marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and > > pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy: > > > > $ rmadison libnet-ping-external-perl > > libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all > > > > https://tracker.debian.org/pkg/libnet-ping-external-perl > > But I don't think thas worked as you might have expected, and it's not > really gone yet. While the dak rm works, there is no point release > mechanism for wheezy (LTS) and you still will find > libnet-ping-external-perl in the archive (and on the mirrors), as > there was not the usual procedure of removing the package, making a > new release, and pushing out the updates to the mirrors. Indeed, you are right: rhertzog@nas:/srv/debian/mirror/dists/wheezy/main/binary-i386$ zgrep libnet-ping-external-perl Packages.gz Package: libnet-ping-external-perl Filename: pool/main/libn/libnet-ping-external-perl/libnet-ping-external-perl_0.13-1_all.deb The Packages* files have not been updated since June 4th 2016. Only the Release file gets regular updates. Maybe it's time to see what is required to be able to update wheezy... I don't think there's any technical reason behind this behaviour. It's just policy that we don't want to touch the Packages* files except during point releases. Given the current LTS policies, I believe that we could have unannounced point releases that do not increment any version number... as long as we just remove some packages. Chris or Thorsten, could you possibly look into what it involves and see whether it's doable on the ftpmaster side ? Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#881097: To be removed from wheezy as well
Hi! On Tue, Dec 19, 2017 at 10:01:07AM +0100, Raphael Hertzog wrote: > Hello, > > On Sun, 17 Dec 2017, Ola Lundqvist wrote: > > After some more reading I think removing it should be ok anyway. I'll > > change the wording from "will be removed" to "may be removed" to allow > > us the freedom to keep it if nobody takes the action to actually > > remove it. > > Actually it got removed from wheezy in the mean time. Since it was > marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and > pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy: > > $ rmadison libnet-ping-external-perl > libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all > > https://tracker.debian.org/pkg/libnet-ping-external-perl But I don't think thas worked as you might have expected, and it's not really gone yet. While the dak rm works, there is no point release mechanism for wheezy (LTS) and you still will find libnet-ping-external-perl in the archive (and on the mirrors), as there was not the usual procedure of removing the package, making a new release, and pushing out the updates to the mirrors. Regards, Salvatore
Bug#881097: To be removed from wheezy as well
Hi Raphael, > Actually it got removed from wheezy in the mean time. Since it was > marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and > pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy: > > $ rmadison libnet-ping-external-perl > libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all Naturally, let me know if we should be removing anything else. :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#881097: To be removed from wheezy as well
Hello, On Sun, 17 Dec 2017, Ola Lundqvist wrote: > After some more reading I think removing it should be ok anyway. I'll > change the wording from "will be removed" to "may be removed" to allow > us the freedom to keep it if nobody takes the action to actually > remove it. Actually it got removed from wheezy in the mean time. Since it was marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy: $ rmadison libnet-ping-external-perl libnet-ping-external-perl | 0.13-1| oldstable-kfreebsd | source, all https://tracker.debian.org/pkg/libnet-ping-external-perl Cheers, > On 17 December 2017 at 20:28, Ola Lundqvistwrote: > > Hi > > > > I agree that it may not be the best to remove it then. I suggest we > > mark it as no-dsa then. Any objections? > > > > // Ola > > > > On 22 November 2017 at 21:00, Emilio Pozuelo Monfort > > wrote: > >> On 08/11/17 20:19, Ola Lundqvist wrote: > >>> Hi > >>> > >>> Considering that this package is about to be removed from jessie I > >>> guess it should be removed from wheezy too. How is that done? Should I > >>> contact the FTP maintainers about it, or do we simply ignore the > >>> issue? > >> > >> We don't have point releases, so I'm not sure we can get a package removed > >> at > >> this stage without extra work by the ftp masters. So our options would be: > >> > >> - mark as no-dsa if it's not important enough > >> - mark as unsupported / end-of-life > >> - fix it > >> - get it removed > >> > >> The issue seems only exploitable if it's used by a service that is exposed > >> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at > >> least one sponsor using that package. So removing it may not be the best > >> course > >> given there is a proposed patch. So I'd go with either no-dsa or fix it, > >> depending on the assessed importance. > >> > >> Cheers, > >> Emilio > > > > > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology > > / o...@inguza.comFolkebogatan 26\ > > | o...@debian.org 654 68 KARLSTAD| > > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > > --- > > > > -- > --- Inguza Technology AB --- MSc in Information Technology > / o...@inguza.comFolkebogatan 26\ > | o...@debian.org 654 68 KARLSTAD| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- > -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Bug#881097: To be removed from wheezy as well
Hi again After some more reading I think removing it should be ok anyway. I'll change the wording from "will be removed" to "may be removed" to allow us the freedom to keep it if nobody takes the action to actually remove it. // Ola On 17 December 2017 at 20:28, Ola Lundqvistwrote: > Hi > > I agree that it may not be the best to remove it then. I suggest we > mark it as no-dsa then. Any objections? > > // Ola > > On 22 November 2017 at 21:00, Emilio Pozuelo Monfort wrote: >> On 08/11/17 20:19, Ola Lundqvist wrote: >>> Hi >>> >>> Considering that this package is about to be removed from jessie I >>> guess it should be removed from wheezy too. How is that done? Should I >>> contact the FTP maintainers about it, or do we simply ignore the >>> issue? >> >> We don't have point releases, so I'm not sure we can get a package removed at >> this stage without extra work by the ftp masters. So our options would be: >> >> - mark as no-dsa if it's not important enough >> - mark as unsupported / end-of-life >> - fix it >> - get it removed >> >> The issue seems only exploitable if it's used by a service that is exposed >> remotely or to other issues... and has no rdeps in wheezy. OTOH there is at >> least one sponsor using that package. So removing it may not be the best >> course >> given there is a proposed patch. So I'd go with either no-dsa or fix it, >> depending on the assessed importance. >> >> Cheers, >> Emilio > > > > -- > --- Inguza Technology AB --- MSc in Information Technology > / o...@inguza.comFolkebogatan 26\ > | o...@debian.org 654 68 KARLSTAD| > | http://inguza.com/Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --- -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Bug#881097: To be removed from wheezy as well
Hi I agree that it may not be the best to remove it then. I suggest we mark it as no-dsa then. Any objections? // Ola On 22 November 2017 at 21:00, Emilio Pozuelo Monfortwrote: > On 08/11/17 20:19, Ola Lundqvist wrote: >> Hi >> >> Considering that this package is about to be removed from jessie I >> guess it should be removed from wheezy too. How is that done? Should I >> contact the FTP maintainers about it, or do we simply ignore the >> issue? > > We don't have point releases, so I'm not sure we can get a package removed at > this stage without extra work by the ftp masters. So our options would be: > > - mark as no-dsa if it's not important enough > - mark as unsupported / end-of-life > - fix it > - get it removed > > The issue seems only exploitable if it's used by a service that is exposed > remotely or to other issues... and has no rdeps in wheezy. OTOH there is at > least one sponsor using that package. So removing it may not be the best > course > given there is a proposed patch. So I'd go with either no-dsa or fix it, > depending on the assessed importance. > > Cheers, > Emilio -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Bug#881097: To be removed from wheezy as well
On Wed, Nov 22, 2017 at 09:00:59PM +0100, Emilio Pozuelo Monfort wrote: > On 08/11/17 20:19, Ola Lundqvist wrote: > > Hi > > > > Considering that this package is about to be removed from jessie I > > guess it should be removed from wheezy too. How is that done? Should I > > contact the FTP maintainers about it, or do we simply ignore the > > issue? > > We don't have point releases, so I'm not sure we can get a package removed at > this stage without extra work by the ftp masters. So our options would be: > > - mark as no-dsa if it's not important enough > - mark as unsupported / end-of-life > - fix it > - get it removed > > The issue seems only exploitable if it's used by a service that is exposed > remotely or to other issues... and has no rdeps in wheezy. OTOH there is at > least one sponsor using that package. So removing it may not be the best > course > given there is a proposed patch. So I'd go with either no-dsa or fix it, > depending on the assessed importance. Hi, My apologies for taking a while to join the thread. As the most recent uploader of this package, I feel responsible for helping get it into a safe state if we opt to keep it. However, I am not an active user, so if the package is to remain in Debian, it might be better to transition it to the Debian Perl Team (assuming that is amenable to the team). I tend to agree with Emilio that removing it might not be the best course of action for our users, particularly given that we have a patch and the popcon [1] is non-zero. Removing it from the distribution seems like it merely leaves users with a known vulnerability. Also, the package might be used in derivatives. I agree with Simon that it's a little odd for the patch to bump the version. (OTOH, it makes it much easier to differentiate from the vulnerable 0.15.) Still, I am inclined to take the patch as a patch against upstream 0.15 for the upload to unstable and then backport it for 0.13 for stable and oldstable. Or perhaps Alexandr Ciornii (on the cc) would be willing to release 0.16 including the patch. Thoughts? Thank you, tony [1] https://qa.debian.org/popcon.php?package=libnet-ping-external-perl signature.asc Description: PGP signature
Bug#881097: To be removed from wheezy as well
On 08/11/17 20:19, Ola Lundqvist wrote: > Hi > > Considering that this package is about to be removed from jessie I > guess it should be removed from wheezy too. How is that done? Should I > contact the FTP maintainers about it, or do we simply ignore the > issue? We don't have point releases, so I'm not sure we can get a package removed at this stage without extra work by the ftp masters. So our options would be: - mark as no-dsa if it's not important enough - mark as unsupported / end-of-life - fix it - get it removed The issue seems only exploitable if it's used by a service that is exposed remotely or to other issues... and has no rdeps in wheezy. OTOH there is at least one sponsor using that package. So removing it may not be the best course given there is a proposed patch. So I'd go with either no-dsa or fix it, depending on the assessed importance. Cheers, Emilio
Bug#881097: To be removed from wheezy as well
Hi Considering that this package is about to be removed from jessie I guess it should be removed from wheezy too. How is that done? Should I contact the FTP maintainers about it, or do we simply ignore the issue? For people who wonder what we are discussing it is about CVE-2008-7319 Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---