[pkg-wicd-maint] Bug#901592: wicd-daemon: please remove the vulnerable dhcpcd5 from the OR'ed dependencies

[Axel Beckert]

Control: severity -1 important
Control: retitle -1 wicd-daemon: please don't list the vulnerable dhcpcd5 first in the OR'ed dependencies

Hi,

Vincent Lefevre wrote:
> Due to bug 852343, wicd-daemon now depends on
> 
>   dhcpcd5 | isc-dhcp-client | pump | udhcpc

Hrm. That bug report never has been closed. Ah, no, you were wrong:
It's not due to #852343 (which is indeed still open), but due to
#783272.

> but dhcpcd5 has been vulnerable since at least 2014:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=846938
> 
> (dhcpcd5: CVE-2014-7913). And as a consequence, wicd has now been
> removed from testing:
> 
>   https://tracker.debian.org/news/965137/wicd-removed-from-testing/

For some reason unclear to me, it migrated back to testing less than a
day later:

https://packages.qa.debian.org/w/wicd/news/20180615T043913Z.html

Found no according hint in
https://release.debian.org/britney/hints/ and the bug has neither been
fixed nor has been dhcpcd5 removed from Debian.

> The unnecessary dependency on dhcpcd5 should be removed.

I disagree: Neither should the dependency be removed no is it
unnecessary.

In contrary: It would be a policy violation if I (just) remove that
dependency because wicd _has_ a relation with dhcpcd5 and hence
requires a package relation with it. And already alone because of that
it is surely not RC.

The only thing I likely will change in wicd is to not keep dhcpcd5 as
first of the alternative list of DHCP client dependencies, but move
isc-dhcp-client to the first position.

Retitling the bug report accordingly and lowering the severity.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe at debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE