On Mon, Jun 08, 2020 at 07:44:22PM +0200, Matija Nalis wrote: > Hi, > > I see djbdns is removed from testing, due to unarchiving of > critical bug #516394 > > However, as source package djbdns 1:1.05-11 builds several binary > packages (axfrdns, djbdns-conf, djbdns-utils, rbldns, tinydns, > walldns) and the bug is only in (if not patched) dnscache, > would other packages reenter testing and later new stable Debian?
Hi, I just adopted the djbdns package; the 1:1.05-12 upload with a couple of packaging fixes should hit unstable in the mirror sync (it has already been built on most architectures; I'll drop the lsof build dependency in the next upload so that it builds on even more). Apropos, let me express my thanks to Dmitry Bogatov for the large overhaul in 1:1.05-10: bringing the Debian packaging up to date and incorporating some bugfixes from other packaging systems. Now... related to that. I am not sure whether Moritz Muehlenhoff, when reopening this bug, was aware of the fact that Dmitry Bogatov included two patches from Jeff King that address the cache poisoning attack - and actually, the patches were mentioned in this bug log by Matija Nalis back in 2010. Moritz, is it possible that you had missed the inclusion of these two patches, or do you believe that they, by themselves, are still not enough to address this problem? If so, that would indeed be kind of unfortunate, since it is my impression that these particular patches are considered the best way to handle this among users of Prof. Bernstein's software. Of course, I do not intend to argue with the Security Team - I only have the utmost respect and gratitude for everything you people do for Debian! So if it is still your collective stated position that Jeff King's patches, applied to the djbdns package in Debian as debian/patches/0007-dnscache-merge-similar-outgoing-udp-packets.patch and debian/patches/0008-Cache-SOA-records.patch, are not enough, then I guess I may have to look for some other way to manage the situation, possibly breaking dnscache off into its own source package to allow the rest to eventually migrate to testing. I am late in coming to this discussion, so let me express my thanks to everyone who has spoken their mind in good faith in the bug log. Here's hoping we find some way to move forward :) G'luck, Peter -- Peter Pentchev r...@ringlet.net r...@debian.org p...@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
