[Pkg-gnutls-maint] Bug triage

James Westby jw+debian at jameswestby.net
Wed Jun 7 18:11:13 UTC 2006 

On (07/06/06 19:06), Andreas Metzler wrote:
> On 2006-06-06 James Westby <jw+debian at jameswestby.net> wrote:
> > Hi guys,
> 
> > 352182 - Crash in the ASN.1 DER decoder
> 
> The real *reverse* dependencies of libtasn1 are almost nothing besides
> gnutls:
> (SID)ametzler at argenau:~$ grep-dctrl -FBuild-Depends libtasn1-2 -sPackage /var/lib/apt/lists/ftp.at.debian.org_debian_dists_sid_main_source_Sources
> Package: gnutls11
> Package: shishi
> 
> There are loads of other packages *linking* against libtasn1 but I
> doubt that more than one of these actually use it, they just link
> against a bunch of libraries (including the whole gnutls dependency
> chain) for no reason at all (pkg-config/libtool breakage). Afaiui
> these packages wouldn't inherit the libtasn vulnerability.
> 
> Fixed libtasn1-2 and the current libtasn1-2 are not completely API
> compatible AFAIUI (older gnutls cannot link against it), so it seems
> to be a waste of time to pursue this instead of simply using
> libtasn1-3 in the 4 packages that actually matter.

Thanks for the clarification. I see the reasoning now.

> 
> > 352188 - Crash in the ASN.1 DER decoder
> 
> This package should never been released with sarge:
> 
> we should try to get it removed from there if that is possible.

What is the procedure for doing that?

> 
> > 309111 - [GNUTLS-SA-2005-1] DoS security problem in gnutls <=1.0.24 (and
> > <=1.2.3)
> If you are positive that is fixed please do so, you are the
> maintainer. - Noting done which versions you verified to be fixed in
> the bug-report would be helpful.

I will check for a third time, and then close it.

> > 364287 and 364291 are for upstream. What is the usual way of reporting
> > things to the gnutls developers? Does the mailing list suffice? (I think
> > these two deserve to be normal rather than wishlist as they are features
> > I would expect to be in the program).
> [...]
> 
> I agree that they should be forwarded, however I still think they are
> wishlist requests.

I will have a quick look to see how difficult they are, then forward
them. I'll demote them to wishlist.

> 
> Yes, the mailing list gnutls-dev
> http://lists.gnupg.org/mailman/listinfo/gnutls-dev 
> is the way to go afaik.

Thanks for your advice, hopefully I'll be up to speed soon.

James

-- 
  James Westby
  jw+debian at jameswestby.net
  http://jameswestby.net/

More information about the Pkg-gnutls-maint mailing list