On Mon, 31 Mar 2008, Joey Hess wrote: > By bringing an issue to the tech ctte, both sides of the issue have > to give up some control, and thus reposibility. So in this case it's > not just wordpresses's maintenance, but also the security support > work that the security team would notmally handle (ie, writing DSAs > and pushing out fixes) that the tech ctte delegate would be > responsible for.
I agree that the stable security team should no longer be responsible for the wordpress package,[1] but when the maintainer (who's responsibility it is anyway) has stepped up and said that they were going to maintain the packages through a full stable release cycle, then they have the responsibility to do so. If that breaks down, members voting for the referrendum should exercise responsibility instead. I just disagree with the idea that a TC decision automatically obsolves all parties (save the TC) to the decision of their responsibilities. > FWIW, at least these security holes seem pretty bad: > > CVE-2007-3543, CVE-2007-3544 remote upload and execution of php code > CVE-2007-4154 7 varieties of SQL injection > CVE-2008-0196 directory traversal via "..", and arbitrary file modification > CVE-2007-1599, CVE-2007-3639 redirect authenticated users to other sites > and obtain potentially sensative information Yuck. On Mon, 31 Mar 2008, Moritz Muehlenhoff wrote: > Don Armstrong wrote: > > The package in question, as problematic as it is, has an active > > maintainer who claimed that he would do exactly this. > > People claim stuff all the time. It's also Neil McGovern who > promised to do it and never did so. (Which is especially bad since > at least two people quoted this to be a reason to keep it in their > vote) It's not clear to me what sort of guarantee you would require; at some point it all comes down to people and their commitments. People who serve on the CTTE as well as people in general can always renege their commitments. They shouldn't do so, but it happens anyway. Don Armstrong 1: Though I must admit that it's not clear to me why http://packages.qa.debian.org/w/wordpress/news/20080306T195216Z.html hasn't been accepted. -- A citizen of America will cross the ocean to fight for democracy, but won't cross the street to vote in a national election. -- Bill Vaughan http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
