The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: URGENT: libXt problems

To: Sven Rudolph <sr1@os.inf.tu-dresden.de>
Subject: Re: URGENT: libXt problems
From: Mark Eichin <eichin@cygnus.com>
Date: 31 May 1997 16:32:32 -0400
Cc: Mark Eichin <eichin@cygnus.com>, Bruce Perens <bruce@pixar.com>, security@debian.org
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
In-reply-to: Sven Rudolph's message of 31 May 1997 22:21:07 +0200
References: <199705291642.MAA14945@ding.mailhub.com> <m0wXVXD-00IdezC@golem.pixar.com> <xe1206ou4i7.fsf@maneki-neko.cygnus.com> <87hgfjpf4c.fsf@os.inf.tu-dresden.de>
Resent-cc: recipient list not shown: ;
Resent-date: 1 Jun 1997 03:29:34 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"VbMvQ.0.344.UoEap"@debian>
Resent-sender: debian-private-request@lists.debian.org

> IMHO this must go into 1.3, there is no point doing a release
> containing well-known security bugs of this kind.

Gee, 1.2 went out with similarly well known security bugs...

Unless someone plans to rewrite X (and all the applications) in a high
level language[1] that is less vulnerable to this class of mistake[2],
*whatever* we ship is going to have problems like this.  It's a matter
of degree as to how many of them.  Certainly we should try to fix ones
we can -- but I'll note that for many of these the *exploits* are
known but the fixes aren't.  Since the upstream maintainer (the
XFree86 organization, or even The Open Group) is on a "long orbit"
release cycle, we *will* have this class of problem unless we plan our
releases around their releases, which is of course impossible if they
don't actually *publish* [or stick to] their schedule.

1.3 is *less* of a problem than 1.2 was; that alone is sufficient
reason to ship it.  In practice, we'll *never* have a release with no
problems.  Debian is one of the few releases that has a really clean
way to do follow-on updates...  we simply need to plan them more
carefully.

Again, IMHO it's entirely up to the release team as to what goes into
1.3 and what goes later; if I had a strong opinion about it I'd be
*on* the release team.  3.2-7 will go into unstable, and if it needs
to be moved somewhere else for a release, they should definitely do
it, but they are doing the testing and it's their call.
			_Mark_ <eichin@kitten.gen.ma.us>
			The Herd of Kittens
			Debian X Maintainer

ps. [1] no, C++ isn't one. [2] programmers being what they are,
they *will* find other classes of error.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

References:
- URGENT: libXt problems
  - From: "Alexander O. Yuriev" <alex@yuriev.com>
- Re: URGENT: libXt problems
  - From: bruce@pixar.com (Bruce Perens)
- Re: URGENT: libXt problems
  - From: Mark Eichin <eichin@cygnus.com>
- Re: URGENT: libXt problems
  - From: Sven Rudolph <sr1@os.inf.tu-dresden.de>

Prev by Date: Re: URGENT: libXt problems
Next by Date: Alternative 1.3 Press Releases (Was Re: translators)
Previous by thread: Re: URGENT: libXt problems
Next by thread: Re: URGENT: libXt problems
Index(es):
- Date
- Thread