[Pkg-erlang-devel] Bug#570013: 570013 need more info

Sam Bisbee sbisbee at computervip.com
Thu Mar 11 19:47:04 UTC 2010

On Thu, Mar 11, 2010 at 08:28:49PM +0100, Florian Weimer wrote:
> * Sam Bisbee:
> > On Thu, Mar 11, 2010 at 07:07:13AM +0100, Florian Weimer wrote:
> >> * Sam Bisbee:
> >> 
> >> > As the last communication for bug #570013
> >> > (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570013) was on 2/19, I will
> >> > be closing this bug on 3/19 unless there is any further information sent to it.
> >> 
> >> Ahem, has the bug been fixed?
> >
> > Florian, as my e-mail detailed we have been waiting for more information on
> > this ticket for about a month.
> Upstream has said that they are discussing it on their non-public
> security mailing list.  So I guess we have to wait for them to come up
> with a solution.

As I detailed in my e-mail a month ago (Message #19 in the thread, which got
mis-ordered by BTS) I know of no viable programmatic solution that we could
employ. All of the suggested solutions that I know of are either flawed (ie.,
tokens) or are security through obscurity (which we don't want). In that e-mail
I asked if you knew of any other solution, which I would be happy to consider.

If you don't have any suggestions, and since this is really a flaw of
client/server architectures (you can never trust the client) and not CouchDB or
its Futon interface, I'll be closing this ticket with a wontfix tag. 

Of course, if a solution is found in the industry or upstream releases
something, then I'll associate those changes with this ticket.


Sam Bisbee

More information about the Pkg-erlang-devel mailing list