[mosh-devel] Status of two submitted patches

Axel Beckert abe at deuxchevaux.org
Tue Apr 16 14:40:06 EDT 2013 

Hi,

On Tue, Apr 16, 2013 at 01:54:52PM -0400, Quentin Smith wrote:
> >On Tue, Apr 16, 2013 at 01:41:19PM -0400, Alex Chernyakhovsky wrote:
> >>I wonder if it's possible for mosh to switch back to the old self-pipe
> >>code, now that ftpmaster has approved of mosh, and "sneak it in".
> >
> >Don't forget that there are Debian folks (like me :-) are reading this
> >list, too. ;-)
> 
> Mm, so, Debian folks, how should we fix this? ;)

For some reason, I already expected such a question. ;-) And I think
that question is fair, so I'll try to answer it as good as I can.

I don't know the exact details on what was the discussion back then,
but it seemed around embedded code copies, which are generally bad
from a security point of view. (And the security team of every
distribution will tell you that. :-)

http://wiki.debian.org/EmbeddedCodeCopies says: "Debian Policy 4.13
states that Debian packages should not use convenience copies." --
>From what I read in this thread, the issue seems more than just
"convenience". Nevertheless embedded code copies are still a bad
thing.

So I'd try the following:

* Convince the maintainer of the Debian package whose code you would
  like to embedded (according to the mentioned library/filename it
  seems either skalibs, http://packages.qa.debian.org/skalibs or
  dietlibc, http://packages.qa.debian.org/dietlibc) to either
  - compile the package in a way it's usable for you, or
  - let the source package build a second binary package which works
    the way you need it without tangenting others.

* Convince those who objected previously (or the Debian Security Team
  who are mostly those who have to do the worked cause by embedded
  code copies, see http://wiki.debian.org/EmbeddedCodeCopies) that the
  modified version of that library is necessary. They'll then keep
  track of it and -- when necessary -- will check if your program is
  affected by security issues of the embedded code copy.

I think letting embedded code copies "sneak in" is the worst you can
do at that point, also from a trust POV.

HTH.

		Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | abe at deuxchevaux.org  (Mail)
 X   See http://www.asciiribbon.org/              | abe at noone.org (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://noone.org/abe/ (Web)

More information about the mosh-devel mailing list