[Pkg-gnutls-maint] Bug triage

James Westby jw+debian at jameswestby.net
Tue Jun 6 21:52:53 UTC 2006 

Hi guys,

I have had a first go at a bug triage to try and work out which of the
outstanding bugs should be tackled first. I see Andreas has been busy
with the uploads that will close many bugs.

My first priorities were the security bugs, so I'll start with those.

352182 - Crash in the ASN.1 DER decoder

  This is the bug that is fixed in libtasn1-3 in unstable, and has been
  fixed in sarge. However libtasn1-2 is still vunerable in testing and
  sid. I'm unsure of what the usual thing to do here is, as the
  vunerable library will have to hang around until all of the reverse
  dependencies have transitioned. Andreas you said uploading -3 was the
  only sane way to fix the bug, can you explain what you meant by that?
  What is stopping us from using the patch that has been supplied to fix
  -2 as well? Please forgive me if I have this wrong.

352188 - Crash in the ASN.1 DER decoder

  This is the same bug as above, but cloned to libtasn1-0 which is still
  in sarge, and is affected. I have been trying to apply the patch for
  -2 to this version, but it's not that easy. Should we be pursuing this
  line of attack?

309111 - [GNUTLS-SA-2005-1] DoS security problem in gnutls <=1.0.24 (and
<=1.2.3)

  The fix in the bug report appears to have been applied to all versions
  in the archive. Shall I close this one?

  The NMU seems to have made it in to sarge after the bug was reopened
  for sarge but noone closed it when it transitioned (speculation).

There were a few other bugs that caught my eye as candidates for a quick
fix.

355272 - [amd64] "The gcrypt library version is too old"

  This appears to have been fixed as as libgnutls12 now depends on
  libgcrypt11 (>= 1.2.2) as required.

361874 - libgnutls12: uninstallable due to Conflicts/Depends cycle with
libtasn1-2

  I think this one can probably be closed as well, as it has probably
  been long enough.

364287 and 364291 are for upstream. What is the usual way of reporting
things to the gnutls developers? Does the mailing list suffice? (I think
these two deserve to be normal rather than wishlist as they are features
I would expect to be in the program).

Let me know your thoughts on this. 

Going through the bug reports it seems that most of them can be solved
easily as we start re-packaging everything, hopefully that will be true.

James

-- 
  James Westby
  jw+debian at jameswestby.net
  http://jameswestby.net/

More information about the Pkg-gnutls-maint mailing list