Debian Bug report logs - #413269
wordpress: Should not ship with Etch

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sat, 3 Mar 2007 20:18:02 UTC

Severity: serious

Tags: etch, security

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wordpress: Should not ship with Etch
Date: Sat, 03 Mar 2007 21:15:33 +0100
Package: wordpress
Severity: serious

On behalf of the Security Team I'm requesting the removal of Wordpress
from Etch. There's a steady flow of security issues being found in
Wordpress and we don't believe it's sanely maintainable over the
course of 30-36 months. (Etch life-time)

As an example, the versions fixing vulnerabilities of the last four
months only:

  wordpress (2.1.1-1) unstable; urgency=high
  .
    * New upstream security release
    * Updated copyright with new download link
    * [8]http://wordpress.org/development/2007/02/new-releases
    * [9]http://trac.wordpress.org/milestone/2.1.1
    * [10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049

  wordpress (2.0.8-1) testing-security; urgency=high
  .
    [Neil McGovern]
    * Non-maintainer upload by security team.
    * Fixes for CVE-2007-0539 and CVE-2007-0541
    [Kai Hendry]
    * New upstream release
    * Security fix, urgency high for etch

  wordpress (2.0.7-1) unstable; urgency=low
  .
    * New upstream release
    * New upstream available (security fix) (Closes: #407116)

  wordpress (2.0.6-1) unstable; urgency=high
  .
    * New upstream release
    * Security fix, urgency high.
    * FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()"
      Function Client-Side Cross Site Scripting Vulnerability.
      (Closes: #405299, #405691)

  wordpress (2.0.5-0.1) unstable; urgency=medium
  .
    * NMU on maintainer's request.
    * Security fix, urgency medium.
    * readme.html: s/license.txt/copyright/. (Closes: #382283)
    * New upstream release, which fixes:
      - CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup
        plugin for WordPress. (Closes: #384800)

Even more worrying, their infrastructure was hacked and they had a
compromised tarball up for download:

http://wordpress.org/development/2007/03/upgrade-212/

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to "Thibaut VARENE" <varenet@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #10 received at 413269@bugs.debian.org (full text, mbox):

From: "Thibaut VARENE" <varenet@debian.org>
To: "Moritz Muehlenhoff" <jmm@debian.org>, 413269@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Sat, 3 Mar 2007 23:03:35 +0100
On 3/3/07, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: wordpress
> Severity: serious
>
> On behalf of the Security Team I'm requesting the removal of Wordpress
> from Etch. There's a steady flow of security issues being found in
> Wordpress and we don't believe it's sanely maintainable over the
> course of 30-36 months. (Etch life-time)

I didn't know the debian security team was entitled to ask for package
removal based on FUD.

Wordpress is well maintained, both upstream and in Debian. What the heck?

As to the "even more worrying" point, let's just recall that this is
exactly what happened to openssh[0]. And we had a number of Debian
machines compromised. Shit happens, I don't think that's a reason to
ask for package removal. This is plain and pure FUD.

T-Bone

[0] http://www.openssh.com/txt/trojan.adv



Information stored:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #15 received at 413269-quiet@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@ftbfs.de>
To: 413269-quiet@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Sun, 4 Mar 2007 13:07:14 +0100
Hi, 

On Sat Mar 03, 2007 at 21:15:33 +0100, Moritz Muehlenhoff wrote:
> Package: wordpress
> Severity: serious
> 
> On behalf of the Security Team I'm requesting the removal of Wordpress
> from Etch. There's a steady flow of security issues being found in
> Wordpress and we don't believe it's sanely maintainable over the
> course of 30-36 months. (Etch life-time)

I can understand jmm from the security side of view. Looking at the
popcon count and the overall popularity of wordpress at all, i don't
share his opinion.

Greetings
Martin

-- 
[root@debian /root]# man real-life
No manual entry for real-life




Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Bastian Venthur <venthur@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #20 received at 413269@bugs.debian.org (full text, mbox):

From: Bastian Venthur <venthur@debian.org>
To: 413269@bugs.debian.org, 413269-submitter@bugs.debian.org
Subject: wordpress: Should not ship with Etch
Date: Sun, 04 Mar 2007 18:58:55 +0100
I agree with Martin and object to the removal of wordpress from etch.
First, this would disappoint many users, second and most important: as
long as upstream provides fixes in reasonable time, why should we drop
such a popular package?

BTW I've counted the security uploads in wordpress' changelog and
according to my numbers it had something like 10 or 11 security issues
in 3 years. That doesn't sound too bad for such a popular php application :)


Cheers,

Bastian

-- 
Bastian Venthur                                      http://venthur.de
Debian Developer                                 venthur at debian org




Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#413269. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Alan Tam <Tam@SiuLung.com>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #28 received at 413269@bugs.debian.org (full text, mbox):

From: Alan Tam <Tam@SiuLung.com>
To: 413269@bugs.debian.org
Subject: wordpress: Should not ship with Etch
Date: Mon, 05 Mar 2007 15:41:13 +0800
Hi all,

I agree with Moritz that wordpress may pose a problem to debian.
Ubuntu has "stolen" version 2.0.2-2 from Debian 10 months ago,
and I suspect it is vulnerable to 21 CVEs [1]. I am open to see
how they are going to support it for 5 years.


> as long as upstream provides fixes in reasonable time,
> why should we drop such a popular package?

How about if upstream doesn't support the 2.1.x branch anymore?

Firefox 1.0.x and Bugzilla 2.16.x are in sarge, but upstream
ceased to provide security updates around 11 months ago [2] [3].
We still need to support them for 1 year after etch is released.
So how can we deal with them? It is the security team who
backports changes from newer versions to patch the old versions.

So can popularity affect the decision? I think so. If a package
is popular enough so that it makes sense for the security team
to put extra effort, it is perhaps a good idea. Otherwise,
"many people using an unpatched version" simply sounds worse!


-- 
Regards,
Alan

[1] https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/89654
[2] http://www.mozilla.org/news.html#p404
   "Mozilla Corporation is also strongly recommending that Firefox
    1.0 users upgrade to this latest release of Firefox 1.5 in
    order to take advantage of significant security and stability
    improvements."
[3] http://www.bugzilla.org/news/
   "After Bugzilla 2.22 is released, there will be no more security
    updates from the Bugzilla Project for the 2.16 branch."




Information stored:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #33 received at 413269-quiet@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Martin Zobel-Helas <zobel@ftbfs.de>, 413269-quiet@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Mon, 5 Mar 2007 01:30:09 -0800
On Sun, Mar 04, 2007 at 01:07:14PM +0100, Martin Zobel-Helas wrote:

> On Sat Mar 03, 2007 at 21:15:33 +0100, Moritz Muehlenhoff wrote:
> > Package: wordpress
> > Severity: serious

> > On behalf of the Security Team I'm requesting the removal of Wordpress
> > from Etch. There's a steady flow of security issues being found in
> > Wordpress and we don't believe it's sanely maintainable over the
> > course of 30-36 months. (Etch life-time)

> I can understand jmm from the security side of view. Looking at the
> popcon count and the overall popularity of wordpress at all, i don't
> share his opinion.

Yes, wordpress is popular; but

- Debian is not the only source for software in the world (I know, shocking,
  right? :), so not including it in etch doesn't mean users can't have it;
- just because software is popular doesn't mean we should lower our
  standards of quality to include it in a stable release -- users depend on
  us to *support* whatever we ship in stable, so if we don't think we can
  support it, we should avoid giving them that impression in the first
  place;
- the state of the art in packaging for web apps is not exactly stellar, so
  in many cases users are arguably better off /not/ using these apps in
  packaged form.

More persuasive to me than a popcon count would be evidence that wordpress
is not going to cause a disproportionate burden on the security team, and/or
that security support for wordpress isn't going to suffer substantially
because it's given a lower priority by the security team.

So presently, I still don't see any reason to override the security team's
position if they believe this package is not supportable over the lifetime
of a stable release.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Message #36 received at 413269@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413269@bugs.debian.org
Subject: Wordpress in etch
Date: Mon, 5 Mar 2007 18:12:53 +0000
[Message part 1 (text/plain, inline)]
I just confirmed *again* that upstream is committed to supporting
Wordpress 2.0.x until 2010.

So where is the burden to the security team? 

Packages in stable with committed upstream security support is probably
the exception more than the rule. So one would think, like I do, that
Wordpress is in fact a good example of a package to include in a Debian
stable release.
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #41 received at 413269-quiet@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Steve Langasek <vorlon@debian.org>
Cc: Martin Zobel-Helas <zobel@ftbfs.de>, 413269-quiet@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Mon, 5 Mar 2007 19:20:46 +0100
On Mon, Mar 05, 2007 at 01:30:09AM -0800, Steve Langasek wrote:
> On Sun, Mar 04, 2007 at 01:07:14PM +0100, Martin Zobel-Helas wrote:
> 
> > On Sat Mar 03, 2007 at 21:15:33 +0100, Moritz Muehlenhoff wrote:
> > > Package: wordpress
> > > Severity: serious
> 
> > > On behalf of the Security Team I'm requesting the removal of Wordpress
> > > from Etch. There's a steady flow of security issues being found in
> > > Wordpress and we don't believe it's sanely maintainable over the
> > > course of 30-36 months. (Etch life-time)
> 
> > I can understand jmm from the security side of view. Looking at the
> > popcon count and the overall popularity of wordpress at all, i don't
> > share his opinion.
> 
> Yes, wordpress is popular; but
> 
> - Debian is not the only source for software in the world (I know, shocking,
>   right? :), so not including it in etch doesn't mean users can't have it;
> - just because software is popular doesn't mean we should lower our
>   standards of quality to include it in a stable release -- users depend on
>   us to *support* whatever we ship in stable, so if we don't think we can
>   support it, we should avoid giving them that impression in the first
>   place;
> - the state of the art in packaging for web apps is not exactly stellar, so
>   in many cases users are arguably better off /not/ using these apps in
>   packaged form.

Well put. Also:
- No other GNU/Linux distribution ships Wordpress except Gentoo (who only
  release new upstream versions, we could do the same through volatile)
- Not shipping wordpress is not a regression as it was never part of stable

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Message #44 received at 413269@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413269@bugs.debian.org
Cc: team@security.debian.org, debian-release@lists.debian.org
Subject: Wordpress in etch
Date: Mon, 5 Mar 2007 22:27:00 +0000
[Message part 1 (text/plain, inline)]
As micah suggests I will offer a "firm commitment to actually making
the security updated packages when the hole comes out, and even drafting
the DSA and delivering it to the security team on a silver platter) and
if it becomes untenable I will support the removal"

Below is the last email from upstream confirming support.

Best wishes,

----- Forwarded message from Ryan Boren <ryan@boren.nu> -----

From: Ryan Boren <ryan@boren.nu>
To: Kai Hendry <hendry@iki.fi>
Subject: Re: Etch
Date: Mon, 5 Mar 2007 13:52:27 -0800

On 3/5/07, Kai Hendry <hendry@iki.fi> wrote:
>On 2007-03-05T09:46-0800 Ryan Boren wrote:
>> On 3/5/07, Kai Hendry <hendry@iki.fi> wrote:
>> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413269
>> >If you say you can confirm support 2.0.x Wordpress like you agreed to
>> >before, I can take it from there.
>> We are committed to supporting 2.0.x until 2010.
>I was chatting with one of the guys in debian-security and he suggests
>to seal the deal, that I convince upstream (that's you) *only* to do
>security fixes on the 2.0.x branch. Think we can do that?

Beyond security problems, we typically only fix very high profile bugs
such as the feedburner issue and the bugs leading up to it.  We also
try to preserve forward compatibility with new releases of php, which
can be a pain in the ass.  During normal circumstances, however, 2.0
is strictly security fixes.  We'd had a number of those lately,
unfortunately, but that is due in part to the fact that WordPress
recently has been receiving a huge amount of security audit attention.
We're nearing the point where our security has been picked over by
everyone's fine tooth combs.  After the next release, I think the
security updates should slow down.

>Here the log of my discussion with micah:
>
>
>
>19:24 < Maulkin> hendry: I don't see why it shoudn't be supported. 2.0.x 
>gets security updates only - the work required by the security team is 
>almost none.
>19:25 -!- luk [~luk@d5152B0D4.access.telenet.be] has quit [Ping timeout: 
>480 seconds]
>19:34 -!- SirMoo [moo@hawking.cowsay.de] has quit [Ping timeout: 480 
>seconds]
>19:36 -!- luk [~luk@d5152B0D4.access.telenet.be] has joined #debian-security
>19:36 -!- Netsplit charon.oftc.net <-> unununium.oftc.net quits: madduck, 
>Falco, zobel
>19:38 -!- Netsplit over, joins: zobel, madduck, Falco
>19:57 < hendry> Maulkin: exactly. Was there some debian security conference 
>about this I wasn't invited to?
>19:57 < hendry> the arguments by vorlon and jmm_ are pitiful
>19:59 -!- Frolic [~ederm@tor-irc.dnsbl.oftc.net] has quit [Quit: Saindo]
>20:30 < CIA-1> alec-guest * r5512 /data/CVE/list: tcpdump fixed
>20:47 < micah> hendry: yeah they met in vancouver ;)
>20:48 < micah> hendry: the only thing that makes me concerned about 
>supporting the security in drupal for a couple years is that most of the 
>2.0.x upgrades that fix security issues also fix other issues at the same 
>time, so you would have to isolate the security fixes from those for stable 
>updates
>20:50 < hendry> micah: that's what upstream is keen to do
>20:50 < hendry> no new feature, just security
>20:51 < hendry> in Wordpress btw, not drupal
>20:51 < micah> hendry: i've tracked 2.0.6-2.0.9 and 2.1-2.1.2 and each one 
>of those releases has been done for security reasons and they all had other 
>things crammed in them besides just security fixes
>20:51 < micah> err, sorry I was talking drupal with someone else in another 
>channel ;)
>20:52 < micah> s/drupal/wordpress
>20:53 < hendry> I think that's a little overblown
>20:53 < hendry> but i can't recall the exact 2.0.8-2.0.9 diff
>20:55 < micah> I dont think its overblown, if you look at the changelog of 
>each of thsoe you will see
>20:55 < micah> 2.0.6 -> 2.0.7 fixed security issues and feedburner issues
>20:56 < micah> gah, they dont distribute a changelog so its not easy to 
>gather that quickly :)
>20:56  * hendry sighs
>20:56 < hendry> these guys are really trying hard to please Debian
>20:57 < hendry> If I ask them to only support security fixes and not 
>any-other-type-fixes
>20:57 < micah> i'm not against you here, I actually think tht it shouldn't 
>be kicked out
>20:57 < micah> I'm just saying...
>20:58 < hendry> micah: sure
>20:58 < micah> that if they include other fixes than security ones, that 
>means you (or the security team if you slack) has to carve out the security 
>specific things
>20:58 < hendry> i don't want to see that scenario either
>20:58 < hendry> branching their stable branch would be madness
>20:59 < hendry> anyway, I am just feeling the heat here.
>20:59 < hendry> how should I resolve this with vorlon and jmm_ ?
>20:59 < hendry> micah: have you read their arguments on the bug?
>20:59 < micah> i dont know really
>21:00 < hendry> if it is a democracy than my side would win, because a lot 
>more people support inclusion
>21:00 < hendry> though I don't think it works like that here
>21:00 < hendry> ;)
>21:01 < micah> i think convincing them that it will have security support, 
>because you are making a firm committment to making that happen (ie. 
>actually making the security updated packages when the hole comes out, and 
>even drafting the DSA and delivering it to the security team on a silver 
>platter) and if it becomes untenable you'd support the removal
>21:01 < hendry> that sounds fine
>21:02 < hendry> i never really expected debian-security to do my housework 
>anyway ;)
>21:02 < micah> I dont think a democracy is based on what people want, i 
>mean the world would be in a hedonistic, drunken bacchinalia if democracy 
>were ruled by what people really wanted
>21:02 < hendry> micah: then you belittle your common man :)
>21:02 < micah> well I'm not making any deals for jmm/vorlon, I'm just 
>giving you suggestions
>21:02 < micah> or I am exposing my desires
>21:03 < hendry> i had to look up bacchanalia
>21:03 < micah> i think the best thing would be to respond to their concerns 
>they raised in the bug report and reassure them that those concerns will 
>not spill over onto their plate
>21:04 < hendry> bacchanalia sounds kinda good
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #49 received at 413269@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Kai Hendry <hendry@iki.fi>
Cc: 413269@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Wordpress in etch
Date: Mon, 5 Mar 2007 22:16:06 -0800
Security Team,

On Mon, Mar 05, 2007 at 10:27:00PM +0000, Kai Hendry wrote:
> As micah suggests I will offer a "firm commitment to actually making
> the security updated packages when the hole comes out, and even drafting
> the DSA and delivering it to the security team on a silver platter) and
> if it becomes untenable I will support the removal"

> Below is the last email from upstream confirming support.

Is this satisfactory?  Should this bug be closed?

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #54 received at 413269@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Kai Hendry <hendry@iki.fi>, 413269@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Wordpress in etch
Date: Tue, 6 Mar 2007 23:46:29 +0100
Steve Langasek wrote:
> Security Team,
> 
> On Mon, Mar 05, 2007 at 10:27:00PM +0000, Kai Hendry wrote:
> > As micah suggests I will offer a "firm commitment to actually making
> > the security updated packages when the hole comes out, and even drafting
> > the DSA and delivering it to the security team on a silver platter) and
> > if it becomes untenable I will support the removal"
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

We can't sanely remove a package from a stable release.
 
> > Below is the last email from upstream confirming support.
> 
> Is this satisfactory?  Should this bug be closed?

No, I still believe it's not supportable over the course of a stable
release and has security issue too frequently.
Instead of focusing on each one's pet package we need to look at the
big picture. Maintaining security support for a distribution of the
size of Debian is already difficult enough.

If there's user interest in Wordpress, I recommend to maintain it through
volatile.

EOD for me.

PS: I need to correct my earlier remark. Even Gentoo ceased security support
for Wordpress (and they don't even do backports):
http://bugs.gentoo.org/show_bug.cgi?id=168529

Cheers,
        Moritz



Bug reassigned from package `wordpress' to `tech-ctte'. Request was from "Kai Hendry" <kai.hendry@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: etch, security Request was from "Kai Hendry" <kai.hendry@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413269; Package tech-ctte. Full text and rfc822 format available.

Message #61 received at 413269@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413269@bugs.debian.org
Subject: Wordpress in etch
Date: Wed, 7 Mar 2007 10:09:53 +0000
[Message part 1 (text/plain, inline)]
Users, DDs and I don't agree with Moritz's decision here. Hence I've
reassigned the bug to the Debian Technical Committee for hopefully a
quick ruling.

I tried to resolve the problem again last night, you can read the IRC
log below.

Moritz believes that Wordpress shouldn't be in etch as it is too
vulnerable to security issues and will prove a burden for Debian
security team. Wordpress might be more vulnerable that some other
packages due to PHP and its high use. Though it has excellent committed
support from upstream who currently maintain a stable security 2.0.x
branch for Debian until 2010. So these security issues, if any, will
pose little burden on Debian's security team.

Have a nice day :)

--- Log opened Tue Mar 06 22:51:32 2007
22:51 -!- hendry [~hendry@91.84.53.136] has joined #debian-security
22:51 -!- Irssi: #debian-security: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal]
22:51 -!- Irssi: Join to #debian-security was synced in 2 secs
22:52 < hendry> jmm_: is it just your decision on #413269 or debian-security make a collective decision?
22:52 < jmm_> hendry: security team
22:55 < hendry> i don't like this decision.
22:55 < hendry> gentoo is a bad argument
22:55 < zobel> jmm_: which i still oppose..
22:55 < zobel> with the fact you gave, we could also remove php from etch
22:56 < zobel> looking at the security bugs there are currently around.
22:56 < hendry> jmm_: who else said wordpress shouldn't be in etch?
22:57 < jmm_> hendry: I asked around and noone stepped forward in favour of it
22:58 < hendry> how about asking who opposes it?
22:59 < hendry> moritz, a lot of people want this package
22:59 < hendry> so far all I can see is you opposing it
23:00 < jmm_> hendry: re-read what I wrote about the bug picture
23:00 < jmm_> hendry: s/bug/big
23:00 < hendry> i read it
23:01 < hendry> there is little/no work by the security team to be done. did you read upstream's commitment?
23:03 < jmm_> it's still a significant overhead
23:04 < jmm_> I'm unwilling to discuss over and over again, I have work to do
23:04 < jmm_> unless you convince some other security team member for a clear commitment to support, we can't support it
23:04 < zobel> jmm_: i will now ask for the removal of php in etch! php is much worse maintained than wordpress!
23:05 < jmm_> zobel: bullshit, php is excellently maintained
23:05 -!- faw [~felipe@faw.user.oftc.net] has quit [Quit: Leaving]
23:05 < zobel> so?! it took only 2 month lately to get security patches applied by their maintaiers.
23:07 < jmm_> current php update is ready and only waiting for an m68k build
23:08 < hendry> well, I think will ask ctte for a decision on this too
23:08 < hendry> i don't want to spend any more time on this either
23:09 < zobel> jmm_: you should better work on links2. the security team currently seems not to be able to support this simple package on all architectures...
23:10 < jmm_> zobel: you need to discuss this with skx
23:11 < zobel> jmm_: team@security is primary point of contact for me. and i won't do any further work on that.
23:19 < hendry> ok nn peopl
--- Log closed Tue Mar 06 23:19:12 2007
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413269; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #66 received at 413269@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 413269@bugs.debian.org
Subject: Re: Wordpress in etch
Date: Wed, 07 Mar 2007 12:46:45 +0100
[Message part 1 (text/plain, inline)]
Hi,

I'd like to add a bit of information here.

Recently, Wordpress 2.1.1 has been compromised and an exploit added to
the code. http://wordpress.org/development/2007/03/upgrade-212/
This can happen.

However, upstream solves this by advising everyone to "just upgrade to
2.1.2". Otherwise it stays vague about what is affected: they list "past
3-4 days" as the window, they do not tell the (md5 or sha1) checksums of
the trusted version, nor do they give the exploit code that was added.

They produce no way for me to check whether an existing installation is
affected or not. "Just upgrade".

I'm therefore not convinced that they take security seriously in a way
other than "upgrade to this new fixed version, which contains some other
fixes too", which is exactly not what Debian needs.


Thijs
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `tech-ctte' to `wordpress'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 413269 cloned as bug 413926. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Blocking bugs of 413269 added: 413926 Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #77 received at 413269@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 413269@bugs.debian.org
Cc: Kai Hendry <hendry@iki.fi>, team@security.debian.org, debian-release@lists.debian.org, 413926@bugs.debian.org
Subject: Re: Bug#413269: Wordpress in etch
Date: Wed, 7 Mar 2007 14:54:41 -0800
On Tue, Mar 06, 2007 at 11:46:29PM +0100, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> > Security Team,

> > On Mon, Mar 05, 2007 at 10:27:00PM +0000, Kai Hendry wrote:
> > > As micah suggests I will offer a "firm commitment to actually making
> > > the security updated packages when the hole comes out, and even drafting
> > > the DSA and delivering it to the security team on a silver platter) and
> > > if it becomes untenable I will support the removal"
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> We can't sanely remove a package from a stable release.

> > > Below is the last email from upstream confirming support.

> > Is this satisfactory?  Should this bug be closed?

> No, I still believe it's not supportable over the course of a stable
> release and has security issue too frequently.
> Instead of focusing on each one's pet package we need to look at the
> big picture. Maintaining security support for a distribution of the
> size of Debian is already difficult enough.

> If there's user interest in Wordpress, I recommend to maintain it through
> volatile.

This issue has now been referred to the technical committee by Kai.  Given
that unstable has a new upstream version of wordpress relative to testing, I
believe the correct course of action is as follows:

- treat this bug as a blocker for etch (RC bug on wordpress), but do not act
  immediately to remove the package from testing, giving the TC time to
  consider the question of overruling the security team
- if the TC does not render a decision before the etch release, the release
  team will proceed with removing this package from etch according to the
  request of the security team.

I've cloned & twiddled this bug to reflect this.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #82 received at 413269-done@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 413926@bugs.debian.org, 413269-done@bugs.debian.org
Subject: Results of technical committee vote
Date: Tue, 27 Mar 2007 00:09:19 -0700
[Message part 1 (text/plain, inline)]
With six of seven committee members having voted, there is a definite
Condorcet winner and the outcome of the vote is no longer in doubt under
6.3.1 of the constitution.  While I'm sure we'd all welcome Raul's thoughts
on the question, and by my reading any member of the TC is still allowed to
change their vote for up to a week after the call for votes, I don't think
there's any harm in proceeding according to this provisional outcome.  If
any further votes are received, I'll respin this report at the end of the
week; and I'll wait for the week to be up before requesting changes to
<http://www.debian.org/devel/tech-ctte>. but I will go ahead and close bug
#413269 with this mail.

     Option 1--->: wordpress should not be included in etch due to bug #413269
   /  Option 2-->: wordpress should be included in etch in spite of bug #413269
   |/  Option 3->: Further discussion
   ||/
V: 213	Andreas Barth
V: 213  Anthony Towns
V: 213	Bdale Garbee
V: 123	Ian Jackson
V: 213	Manoj Srivastava
V: 123	Steve Langasek

In the following table, tally[row x][col y] represents the votes that
option x received over option y.

Option 1 "wordpress should not be included in etch due to bug #413269"
Option 2 "wordpress should be included in etch in spite of bug #413269"
Option 3 "Further discussion"

            Option
          1   2   3
          =   =   =
Option 1      2   6
Option 2  4       6
Option 3  0   0    

Option 2 defeats Option 1 by (4 - 2) = 2 votes.
Option 1 defeats Option 3 by (6 - 0) = 6 votes.
Option 2 defeats Option 3 by (6 - 0) = 6 votes.

The Schwartz contains:
	Option 2 "wordpress should be included in etch in spite of bug #413269"

The winner is:
	Option 2 "wordpress should be included in etch in spite of bug #413269"

So the decision of the Technical Committee is to include wordpress in etch
in spite the objections of the Security Team; bug #413269 is no longer
release-critical for etch.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 16:05:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 20:05:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.