On 8/29/2013 8:24 AM, Andrew Wood wrote:
On 28/08/13 01:13, Jerry Stuckle wrote:
Reading through the bug report, it looks like upstream didn't accept
it. Debian stays as close as possible to upstream, for good reason.
I agree its good to keep things as close as possible to upstream, but
unless upstream can present some compelling argument for why they've
chosen to run it as root, surely this would be a good case to deviate?
Running a network daemon as root is poor security practice and just
plain poor design.
The problem with changing upstream code is it is not a one-shot deal.
Changes must be investigated and applied every time a new version comes
out, which means someone has to keep track of the changes which were
done, and see how they fit into the new code. It can be a very
time-consuming job.
Additionally, one needs to investigate other packages which interface to
this one, to see how they may be affected. Does anything depend on the
operation as documented by upstream? It gets very complicated, very
quickly.
You can apply a patch to your own system pretty easily, and back it off
if it doesn't work. But changing code for a system like Debian is a
whole different story.
If you feel this is such a security exposure (personally, I don't see it
as a big exposure), then I suggest you take it up again with upstream.
Jerry
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/521f4bcb.7090...@attglobal.net
