Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh

To: tech-pkg%netbsd.org@localhost
Subject: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
From: Aleksej Saushev <asau%inbox.ru@localhost>
Date: Thu, 31 Jan 2013 22:32:38 +0400

Noud de Brouwer <noud4%home.nl@localhost> writes:

> vulnerabilities in NetBSD are no longer taken serious.
>
> example, take:
> CVE-2012-4559, CVE-2012-4560, CVE-2012-4561 and CVE-2012-4562
> we can not say _anything_ if we have this vulnerability,
> given we have an impostor libssh and not _the_real_thing_
> that we do distribute to you all.
>
> i am total ashame our platform.

You'd rather be ashamed of yourself. There's little to be said about
the way you deal with this minor problem (only a handful of packages
affected which tells about the impact).

> Date: Thu, 31 Jan 2013 15:16:37 +0000 (UTC)
>
>>Number:         47518
>>Category:       pkg
>>Synopsis:       security/libssh MUST be replaced by the real wip/libssh
>>Confidential:   no
>>Severity:       critical
>>Priority:       high
>>Responsible:    pkg-manager
>>State:          open
>>Class:          change-request
>>Submitter-Id:   net
>>Arrival-Date:   Thu Jan 31 15:20:00 +0000 2013
>>Last-Modified:  Thu Jan 31 15:40:04 +0000 2013

Thus, you have posted it all within minutes leaving no time for any reaction.

> security/libssh in an imposter and wip/libssh is the real thing.
>
>
> security/libssh/Makefile:
> DISTNAME=       libssh-0.11
> PKGREVISION=    3
> CATEGORIES=     security
> MASTER_SITES=   http://www.0xbadc0de.be/libssh/
>
>
> wip/libssh/Makefile:
> DISTNAME=               libssh-0.5.3
> CATEGORIES=             security
> MASTER_SITES=           http://www.libssh.org/files/0.5/

One IRC user has pointed you that source files for libssh-0.11
(the one pkgsrc refers to) and libssh-0.1 (the one libssh.org distributes)
are identical. Thus, 0xbadc0de.be is not an impostor.

Thus, you're lying in public.

> i high advise to retrieve ASau his account, even want his
> sponsor to be monitored now (given i do not constant want to
> check for booby-traps, backdoors and the like given time.)

Why not close the project as well? Perhaps, there're more developers
who created bugs with security impact (sometimes more severe than ones
in almost unused package I have almost no relation to).

-- 
HE CE3OH...

References:
- Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
  - From: Noud de Brouwer

Prev by Date: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
Next by Date: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
Previous by Thread: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
Next by Thread: Re: pkg/47518: security/libssh MUST be replaced by the real wip/libssh
Indexes:

Home | Main Index | Thread Index | Old Index