On Thu, Apr 25, 2024 at 02:54:32PM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the src:radare2 package: > > #950372: Is radare2 suitable for stable Debian releases? >... > radare2 (5.9.0+dfsg-1) unstable; urgency=medium > . > * New upstream version. (Closes: #1034862, #1060127, #950372) >... > It is understandable (and normal for most software) that upstream > is not able or willing to provide security support for the old > version shipped in stable distribution releases. > > But below seems to be upstream actively encouraging exploiting > the version in stable. > > AFAIK Debian in general tries to avoid shipping software when upstream > strongly objects to it, or is openly hostile towards Debian. > > <-- snip --> > > https://rada.re/con/2019/ > > PwnDebian > > Since the very begining of radare development we had people complaining of > bugs because they were using the 3-4 year old version shipped in their > distro. We tried to work with everyone who ships builds of r2 to always get > updates and merge back their patches upstream so everyone gets benefit out of > it. > > But that has been not enough. In github/radare2 we can check out most of > known/used Linux and BSD distros and the shipped r2 version, and it's pretty > clear that Debian/Ubuntu stopped updating those packages long time ago > (3.2.1). Yes, the 0.9.6 drama is over. > > The aim of this competition is to publish a working exploit for radare2 on > Debian stable (nowadays, unstable keeps the same version). To show that > debian-security and backporting patches is not solving enough when > distributing such state-of-the-art packages. > > In order to win this competition. We will accept only 1 working exploit (the > first one to submit it) for radare2-3.2.1 (built for x86-64 debian/stable). > Additional points will be given for writing some notes or presenting at r2con > the way the vuln was found and how the exploit was developed.
Hi Alex, has there been any change in the attitude radare2 upstream has towards distributions? cu Adrian
