remove dtc from oneiric and blacklist: multiple security and policy bugs

2011-09-13 23:26:33 INFO Removing candidates:
2011-09-13 23:26:33 INFO dtc 0.32.10-2 in oneiric
2011-09-13 23:26:33 INFO dtc-autodeploy 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-autodeploy 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-autodeploy 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-autodeploy 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-common 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-common 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-common 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-common 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-core 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-core 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-core 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-core 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-cyrus 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-cyrus 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-cyrus 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-cyrus 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-dos-firewall 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-dos-firewall 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-dos-firewall 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-dos-firewall 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-postfix-courier 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-postfix-courier 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-postfix-courier 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-postfix-courier 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-postfix-dovecot 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-postfix-dovecot 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-postfix-dovecot 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-postfix-dovecot 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-stats-daemon 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-stats-daemon 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-stats-daemon 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-stats-daemon 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO dtc-toaster 0.32.10-2 in oneiric amd64
2011-09-13 23:26:33 INFO dtc-toaster 0.32.10-2 in oneiric armel
2011-09-13 23:26:33 INFO dtc-toaster 0.32.10-2 in oneiric i386
2011-09-13 23:26:33 INFO dtc-toaster 0.32.10-2 in oneiric powerpc
2011-09-13 23:26:33 INFO Removed-by: Steve Langasek
2011-09-13 23:26:33 INFO Comment: multiple longstanding security bugs; LP: #849544
2011-09-13 23:26:33 INFO 37 packages successfully removed.
2011-09-13 23:26:33 INFO Transaction committed.
2011-09-13 23:26:33 INFO The archive will be updated in the next publishing cycle.

On 09/14/2011 07:25 AM, Steve Langasek wrote:
> Public bug reported:
>
> The dtc source package has never been included in a Debian release

That's wrong, it was, and it still is, in Lenny.

> because it persistently has release-critical bugs in Debian

No, it is not in Squeeze *because I asked for that*, since I didn't want
to maintain version 0.30.0, and the release team refused to accept
version 0.32 because it was too late in the freeze.

> http://bugs.debian.org/src:dtc
>
> The Debian security team has recently requested the packages removal
> from Debian altogether as a result.

1/ This is *not* the security team who did such request. Mike is from
the release team.
2/ The removal request is mainly because of policy compliant issues.

> http://bugs.debian.org/637509
>
> The package has still not been removed because the package maintainer
> objects and believes it's fine to keep it unreleased in unstable while
> he works on the security issues.

I think you don't understand at all what's happening. Absolutely *all*
of the release-critical bugs have been dealt with, in both SID and in
old-stable. Bugs are still opened because the old-stable packages hasn't
reach yet the security mirrors.

#637509 has been opened merely because of an opinion from Mike O'Connor
that he thinks more security issues will be found.

> However, failing to propagate to
> testing doesn't keep the package out of Ubuntu releases; dtc has been
> included in every Ubuntu release since at least hardy, carrying
> significant security vulnerabilities.

Which I systematically addressed by giving security updates. Please see
the package history. I'm currently working on Ubuntu security releases,
you can already use version 0.34.1 and 0.29.18, and I will be
backporting bug fixes for other Ubuntu versions.

> As suggested by Scott Kitterman, I therefore intend to remove dtc from
> oneiric and blacklist it to prevent it from being reintroduced
> accidentally.

It would have been nice to get in touch with me first...

Thomas Goirand (zigo)

On Wed, Sep 14, 2011 at 11:30:08AM +0800, Thomas Goirand wrote:
> On 09/14/2011 07:25 AM, Steve Langasek wrote:
> > The dtc source package has never been included in a Debian release

> That's wrong, it was, and it still is, in Lenny.

I stand corrected.

> > because it persistently has release-critical bugs in Debian

> No, it is not in Squeeze *because I asked for that*, since I didn't want
> to maintain version 0.30.0, and the release team refused to accept
> version 0.32 because it was too late in the freeze.

By definition, if you asked for the removal of 0.30.0 from squeeze because
it was unsuitable for release, it was buggy in a release-critical way. That
the release-critical bugs lasted into the depths of the Debian release
freeze to the point that the only available option was removal certainly
qualifies as "persistent" in my book.

Ubuntu is on a six-month release cycle, and once the release is out, removal
of the package is no longer an option. We can't afford to wait and see if
the package becomes releasable in Debian if we want to care for the quality
of Ubuntu, because by the time we know with any clarity another Ubuntu
release may have happened.

> > http://bugs.debian.org/src:dtc

> > The Debian security team has recently requested the packages removal
> > from Debian altogether as a result.

> 1/ This is *not* the security team who did such request. Mike is from
> the release team.

In fact he is neither; I misremembered him being on the security team,
sorry. He is an ftp assistant and the removal request was made under the
auspices of the Debian QA team.

> 2/ The removal request is mainly because of policy compliant issues.

That is not what http://bugs.debian.org/637509 says.

> > http://bugs.debian.org/637509

> > The package has still not been removed because the package maintainer
> > objects and believes it's fine to keep it unreleased in unstable while
> > he works on the security issues.

> I think you don't understand at all what's happening. Absolutely *all*
> of the release-critical bugs have been dealt with, in both SID and in
> old-stable. Bugs are still opened because the old-stable packages hasn't
> reach yet the security mirrors.

http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dtc;dist=unstable lists 8
bugs at RC severity that are not fixed in unstable.

  http://bugs.debian.org/637630 - shell injection in package installer
  http://bugs.debian.org/637632 - sql injection in package installer
  http://bugs.debian.org/614302 - CVE-2011-0436: new users' unencrypted passwords emailed to site admin
  http://bugs.debian.org/637501 - dtc-common: modifies config files of other packages
  http://bugs.debian.org/637622 - dtc-common: places configuration files in /var/lib
  http://bugs.debian.org/640605 - dtc-postfix-courier: installation fails: /var/run/courier/authdaemon/pid.lock: No such file or directory
  http://bugs.debian.org/614304 - dtc-common: does store user passwords unhashed in the database
  http://bugs.debian.org/633580 - dtc: inadequate debian/copyright

Are you unaware that these bugs are still affecting the package in unstable?

> #637509 has been opened merely because of an opinion from Mike O...

----- Original message -----
> On Wed, Sep 14, 2011 at 11:30:08AM +0800, Thomas Goirand wrote:
> By definition, if you asked for the removal of 0.30.0 from squeeze
> because it was unsuitable for release, it was buggy in a
> release-critical way.  That the release-critical bugs lasted into the
> depths of the Debian release freeze to the point that the only available
> option was removal certainly qualifies as "persistent" in my book.

This isn't what happened. I asked for removal not
because it was unsuitable for release, but because
the release team refused to unblock version 0.32,
and because I had no time to work on testing
version 0.30. The main issue was that I had my
Debian account early in July, and it was a very
though schedule for me with all the work I had to
do, and with the freeze happening without prior
annoucement!

> > I think you don't understand at all what's happening. Absolutely *all*
> > of the release-critical bugs have been dealt with, in both SID and in
> > old-stable. Bugs are still opened because the old-stable packages
> > hasn't reach yet the security mirrors.
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dtc;dist=unstable lists
> 8 bugs at RC severity that are not fixed in unstable.

NO!!! Look better. The bugs are still open, but
they are marked as fixed in 0.34.1! The bugs are
still open because not yet fixed in old-stable
(but I did upload already).

> Are you unaware that these bugs are still affecting the package in
> unstable?

I quite know they are fixed, since I'm the one who
fixed them.

> It is an opinion that I share.  This software serves a security-sensitive
> function, and the set of security issues that have been encountered to
> date are a clear indication that you are not well versed in the
> necessary secure programming practices.  The probability of further
> significant security issues being found if someone were to audit the
> code approaches 1.

That's a much better wording that what you wrote
before which was simply wrong. :)

> When dtc migrates back to Debian testing, I'm more than happy to revisit
> this removal.

Ok.

Thomas

On Wed, Sep 14, 2011 at 01:59:53PM -0000, Thomas Goirand wrote:
> > > I think you don't understand at all what's happening. Absolutely *all*
> > > of the release-critical bugs have been dealt with, in both SID and in
> > > old-stable. Bugs are still opened because the old-stable packages
> > > hasn't reach yet the security mirrors.

> > http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dtc;dist=unstable lists
> > 8 bugs at RC severity that are not fixed in unstable.

> NO!!! Look better. The bugs are still open, but they are marked as fixed
> in 0.34.1!

No, they are not marked as fixed in 0.34.1. If you believe these bugs are
fixed, then I think as the Debian package maintainer you have some bug
gardening to do. The URL I linked,
<http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dtc;dist=unstable>, lists
*only* the bugs that are shown in the BTS as affecting the version of the
package in unstable.

Hope that helps,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

On 09/14/2011 10:21 PM, Steve Langasek wrote:
> No, they are not marked as fixed in 0.34.1. If you believe these bugs are
> fixed, then I think as the Debian package maintainer you have some bug
> gardening to do. The URL I linked,
> <http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=dtc;dist=unstable>, lists
> *only* the bugs that are shown in the BTS as affecting the version of the
> package in unstable.
>
> Hope that helps,

Oh! This indeed helps, I thought I did mark them as fixed in 0.34.1.
Thanks for pointing that out.

As I wrote, there's still some RC policy issues. Namely #637501 and
#637622. I have plans to fix them, but it will of course take time. As
for #640605, I believe it must be an issue in courier, not in my package
(I couldn't reproduce it).

Thomas

P.S: I can understand if you don't want the package in Ubuntu because of
what we've been discussing (eg: input sanitizing has to be reworked to
get some kind of more strait logic and the package has to be more policy
compliant, which are both work in progress), but I couldn't leave this
Ubuntu bug entry with false statements and the package being removed for
wrong reasons.