clone 693087 -1 -2 -3 reassign -1 ftp.debian.org user ftp.debian....@packages.debian.org usertags -1 rm retitle -1 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous user release.debian....@packages.debian.org reassign -2 release.debian.org usertags -2 rm retitle -2 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous tags -2 + wheezy reassign -3 release.debian.org usertags -3 rm retitle -3 RM: pam-rsa -- RoST; unmaintained, buggy and dangerous tags -3 + squeeze thanks
On Thu, 2012-11-15 at 07:48 +0100, Yves-Alexis Perez wrote: > Control: clone -1 -2 -3 > Control: reassign -2 ftpmasters Hopefully fixed now. :-) > On mar., 2012-11-13 at 21:56 +0100, Yves-Alexis Perez wrote: > > On mar., 2012-11-13 at 09:00 -0800, Ian Zimmerman wrote: > > > Jan> Is it possible to reproduce that xscreensaver crash also without > > > Jan> libpam-rsa module being used? (when using pam-unix login > > > Jan> alternative with the same scenario) > > > > > > No, it doesn't happen with pam-unix. This had been kicked around the > > > debian security team for a couple of days before this bug was posted. > > > You may want to contact them to coordinate your response. > > > > > Yes, we were made aware of the issue. > > > > Seeing the gravity of the bug, the number of people using it, the time > > of last (upstream) release and the number of NMU, we're considering just > > removing it from Debian altogether, unless you have a decisive argument > > to keep it (and fix the bug quickly). > > > Doing this now (hoping the Control: syntax will work). Not so much. :-( Nor does ftpmasters@d.o or the ftpmasters package exist. :-) Hopefully it's now as you intended. > ftpmasters, release team: the security team is requesting the removal of > the pam-rsa package because we were made aware of the above (#693087) > bug: in some situations, pam_rsa module will cause a segfault in > xscreensaver, leaving the screen unlocked. > > Package seeems to be mostly abandonned upstream (last release in 2007, > called a “beta release” and no answer from the bug address on the > upstream webpage) and, although the Debian maintainer seems around, > there were only NMUs since 2007. > > In our opinion, considering the low pam-rsa usage (and even questionning > the real benefit of the package) it'd be just best to remove it > altogether. > > Thus, we'd like the removal from at least testing and unstable. For > stable, I'm a bit unsure about how we're supposed to handle a package > disparition in stable, so I'm available for discussion (although we > don't think it's really supportable in the current state). I've cloned a copy of the bug for stable, so we can look at that separately. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
