Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes: > Karl, I have just recently browsed the passwd packages bugs and there are > quite a number of them who have not been addressed (some) for over a year. > Many of these bugs could be considered security related because some of > the tools provided will not work with MD5 passwods (recommended in Debian > installation).
Many of the older ones I inherited from the previous maintainer, and many of them I believe were fixed by the previous maintainer still open because I tend to put new packages ahead of debbugs maintenance. > Many bug reports do not even have a followup by the maintainer saying: > "this is true, will fix". There is a new release upstream (as #150237 > says) that seems to fix some of the bugs (such as #142070, #89803, #81721) > since PAM support has been added (as far as I can see in > http://cvs.pld.org.pl/shadow/ChangeLog?rev=1.1) also these entries are > important: I know about the new release. Why does everyone assume that I don't? I'm currently slogging through the debian-specific patches from the previous-version packaging, and not enjoying it very much because the new upstream reformatted all the C code. > * src/useradd.c: > - fix a security bug (adduser could overwrite previously existing > groups (shadow-19990827-group.patch from RH), > * lib/commonio.c: > - installed fix for SEGV when using pwck -s on /etc/passwd file > with > empty lines in it Neither of those seem especially earth-shattering. Annoying, yes, but not earth shattering [and I'd need some convincing that the useradd bug was actually a security problem.] > Most other changes are documentation-related (translated manpages). > > Do you need help with this package? You could consider uploading a new > upstream version up to experimental and ask bug-trackers to follow it and > see if it fixes (some of) the bugs that are currently over a year old. What I have now works for me, but I suspect it would be badly broken for most people. I'll consider whether I'll die of embarrassment if I upload it to experimental. > PS: Incidently I just filed a bug against xscreensaver and against passwd, > sorry :( Hmm, don't see your passwd bug yet. And I'm not convinced at all by your xscreensaver bug. :-) kcr
