Kees wrote: > [...] This bug seems relatively minor I respectfully disagree. Users expect a stable system to be, umm, stable. When applications randomly quit and cause data loss, this is hardly stable. Novice users concerned about security might blindly install chkrootkit based on a friend's tip, and system administrators responsible for lots of enduser systems might systematically install chkrootkit to keep an eye on things; in both cases, the goal is increased security; instead, there is increased risk.
How big is that risk? An assessment appears in the first report for Debian bug 457828: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=457828 My own anecdotal evidence: we have been running Ubuntu Hardy with chkrootkit on about 40 systems for a couple months, and this bug has struck us at least twice. Although it hasn't happened to me, imagine it were to kill sshd on a server to which you do not have physical access, or were to kill apache on a production webserver? What if it kills syslog or an intrusion detection system? Sure, the chance that a random process sitting at PID 12345 is also a security-related process is low; nonetheless, that chance is non-zero. This is why I suggested a fix go into ubuntu- security. The chance of this bug simply hitting an application and causing user data loss or unexpected behavior is higher. So if you won't elect this for ubuntu-security, it seems it should at least go into ubuntu-updates. I base these thoughts on the following excerpt from https://help.ubuntu.com/community/UbuntuBackports : -backports vs -proposed/-updates/-security ============================== -Security offers patches for security vulnerabilities in Ubuntu packages. They are managed by the Ubuntu Security Team and are designed to change the behavior of the package as little as possible -- in fact, the minimum required to resolve the security problem. As a result, they tend to be very low-risk to apply and all users are urged to apply security updates. -Updates offers patches for serious bugs in Ubuntu packaging that do not affect the security of the system. More directly, serious bugs are bugs that can directly cause loss of user data or represent a severe deviance from expected behavior. These updates are held up to similarly strict quality assurance as -security, in that the patches must be the minimum amount of change required to fix the bug. The fixes must be documented and verified by QA testers before they are accepted. These should also be low-risk to breakage and users are recommended to install them as a part of a regular update, or pick updates to bugs that affect them. > and probably > doesn't qualify for an SRU for previous stable releases. >From https://wiki.ubuntu.com/StableReleaseUpdates I would say the following excerpts are appropriate here: Why === Users of the official release, in contrast, expect a high degree of stability. They use their Ubuntu system for their day-to-day work, and problems they experience with it can be extremely disruptive. Many of them are less experienced with Ubuntu and with Linux, and expect a reliable system which does not require their intervention. When ==== * Bugs which may, under realistic circumstances, directly cause a security vulnerability. * Bugs which may, under realistic circumstances, directly cause a loss of user data > If you need > this bug fixed in a stable version of Ubuntu, please follow the > instructions for getting a backported package via "How to request new > packages" at https://help.ubuntu.com/community/UbuntuBackports#request- > new-packages I am *not* suggesting that chkrootkit 0.48-5 from Intrepid be backported to Hardy. There are all sorts of new features and changes. Putting all that into Hardy would be a high-risk move. I am instead suggesting that chkrootkit 0.47-1.1 in Hardy receive a security update just to fix this bug and make no other changes. This matches what happened in Debian stable, when 0.47.1.1 was replaced with 0.47-2. -- chkrootkit kills random processes https://bugs.launchpad.net/bugs/279752 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
