Debian Bug report logs - #413926
wordpress: Should not ship with Etch

Package: tech-ctte; Maintainer for tech-ctte is Technical Committee <debian-ctte@lists.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sat, 3 Mar 2007 20:18:02 UTC

Severity: important

Tags: etch, security

Done: bdale@gag.com (Bdale Garbee)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wordpress: Should not ship with Etch
Date: Sat, 03 Mar 2007 21:15:33 +0100
Package: wordpress
Severity: serious

On behalf of the Security Team I'm requesting the removal of Wordpress
from Etch. There's a steady flow of security issues being found in
Wordpress and we don't believe it's sanely maintainable over the
course of 30-36 months. (Etch life-time)

As an example, the versions fixing vulnerabilities of the last four
months only:

  wordpress (2.1.1-1) unstable; urgency=high
  .
    * New upstream security release
    * Updated copyright with new download link
    * [8]http://wordpress.org/development/2007/02/new-releases
    * [9]http://trac.wordpress.org/milestone/2.1.1
    * [10]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1049

  wordpress (2.0.8-1) testing-security; urgency=high
  .
    [Neil McGovern]
    * Non-maintainer upload by security team.
    * Fixes for CVE-2007-0539 and CVE-2007-0541
    [Kai Hendry]
    * New upstream release
    * Security fix, urgency high for etch

  wordpress (2.0.7-1) unstable; urgency=low
  .
    * New upstream release
    * New upstream available (security fix) (Closes: #407116)

  wordpress (2.0.6-1) unstable; urgency=high
  .
    * New upstream release
    * Security fix, urgency high.
    * FrSIRT/ADV-2006-5191, CVE-2006-6808: WordPress "get_file_description()"
      Function Client-Side Cross Site Scripting Vulnerability.
      (Closes: #405299, #405691)

  wordpress (2.0.5-0.1) unstable; urgency=medium
  .
    * NMU on maintainer's request.
    * Security fix, urgency medium.
    * readme.html: s/license.txt/copyright/. (Closes: #382283)
    * New upstream release, which fixes:
      - CVE-2006-4208: Directory traversal vulnerability in WP-DB-Backup
        plugin for WordPress. (Closes: #384800)

Even more worrying, their infrastructure was hacked and they had a
compromised tarball up for download:

http://wordpress.org/development/2007/03/upgrade-212/

Cheers,
        Moritz

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to "Thibaut VARENE" <varenet@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #10 received at 413269@bugs.debian.org (full text, mbox):

From: "Thibaut VARENE" <varenet@debian.org>
To: "Moritz Muehlenhoff" <jmm@debian.org>, 413269@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Sat, 3 Mar 2007 23:03:35 +0100
On 3/3/07, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: wordpress
> Severity: serious
>
> On behalf of the Security Team I'm requesting the removal of Wordpress
> from Etch. There's a steady flow of security issues being found in
> Wordpress and we don't believe it's sanely maintainable over the
> course of 30-36 months. (Etch life-time)

I didn't know the debian security team was entitled to ask for package
removal based on FUD.

Wordpress is well maintained, both upstream and in Debian. What the heck?

As to the "even more worrying" point, let's just recall that this is
exactly what happened to openssh[0]. And we had a number of Debian
machines compromised. Shit happens, I don't think that's a reason to
ask for package removal. This is plain and pure FUD.

T-Bone

[0] http://www.openssh.com/txt/trojan.adv



Information stored:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Martin Zobel-Helas <zobel@ftbfs.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #15 received at 413269-quiet@bugs.debian.org (full text, mbox):

From: Martin Zobel-Helas <zobel@ftbfs.de>
To: 413269-quiet@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Sun, 4 Mar 2007 13:07:14 +0100
Hi, 

On Sat Mar 03, 2007 at 21:15:33 +0100, Moritz Muehlenhoff wrote:
> Package: wordpress
> Severity: serious
> 
> On behalf of the Security Team I'm requesting the removal of Wordpress
> from Etch. There's a steady flow of security issues being found in
> Wordpress and we don't believe it's sanely maintainable over the
> course of 30-36 months. (Etch life-time)

I can understand jmm from the security side of view. Looking at the
popcon count and the overall popularity of wordpress at all, i don't
share his opinion.

Greetings
Martin

-- 
[root@debian /root]# man real-life
No manual entry for real-life




Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Bastian Venthur <venthur@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #20 received at 413269@bugs.debian.org (full text, mbox):

From: Bastian Venthur <venthur@debian.org>
To: 413269@bugs.debian.org, 413269-submitter@bugs.debian.org
Subject: wordpress: Should not ship with Etch
Date: Sun, 04 Mar 2007 18:58:55 +0100
I agree with Martin and object to the removal of wordpress from etch.
First, this would disappoint many users, second and most important: as
long as upstream provides fixes in reasonable time, why should we drop
such a popular package?

BTW I've counted the security uploads in wordpress' changelog and
according to my numbers it had something like 10 or 11 security issues
in 3 years. That doesn't sound too bad for such a popular php application :)


Cheers,

Bastian

-- 
Bastian Venthur                                      http://venthur.de
Debian Developer                                 venthur at debian org




Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#413269. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Alan Tam <Tam@SiuLung.com>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #28 received at 413269@bugs.debian.org (full text, mbox):

From: Alan Tam <Tam@SiuLung.com>
To: 413269@bugs.debian.org
Subject: wordpress: Should not ship with Etch
Date: Mon, 05 Mar 2007 15:41:13 +0800
Hi all,

I agree with Moritz that wordpress may pose a problem to debian.
Ubuntu has "stolen" version 2.0.2-2 from Debian 10 months ago,
and I suspect it is vulnerable to 21 CVEs [1]. I am open to see
how they are going to support it for 5 years.


> as long as upstream provides fixes in reasonable time,
> why should we drop such a popular package?

How about if upstream doesn't support the 2.1.x branch anymore?

Firefox 1.0.x and Bugzilla 2.16.x are in sarge, but upstream
ceased to provide security updates around 11 months ago [2] [3].
We still need to support them for 1 year after etch is released.
So how can we deal with them? It is the security team who
backports changes from newer versions to patch the old versions.

So can popularity affect the decision? I think so. If a package
is popular enough so that it makes sense for the security team
to put extra effort, it is perhaps a good idea. Otherwise,
"many people using an unpatched version" simply sounds worse!


-- 
Regards,
Alan

[1] https://bugs.launchpad.net/ubuntu/+source/wordpress/+bug/89654
[2] http://www.mozilla.org/news.html#p404
   "Mozilla Corporation is also strongly recommending that Firefox
    1.0 users upgrade to this latest release of Firefox 1.5 in
    order to take advantage of significant security and stability
    improvements."
[3] http://www.bugzilla.org/news/
   "After Bugzilla 2.22 is released, there will be no more security
    updates from the Bugzilla Project for the 2.16 branch."




Information stored:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #33 received at 413269-quiet@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Martin Zobel-Helas <zobel@ftbfs.de>, 413269-quiet@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Mon, 5 Mar 2007 01:30:09 -0800
On Sun, Mar 04, 2007 at 01:07:14PM +0100, Martin Zobel-Helas wrote:

> On Sat Mar 03, 2007 at 21:15:33 +0100, Moritz Muehlenhoff wrote:
> > Package: wordpress
> > Severity: serious

> > On behalf of the Security Team I'm requesting the removal of Wordpress
> > from Etch. There's a steady flow of security issues being found in
> > Wordpress and we don't believe it's sanely maintainable over the
> > course of 30-36 months. (Etch life-time)

> I can understand jmm from the security side of view. Looking at the
> popcon count and the overall popularity of wordpress at all, i don't
> share his opinion.

Yes, wordpress is popular; but

- Debian is not the only source for software in the world (I know, shocking,
  right? :), so not including it in etch doesn't mean users can't have it;
- just because software is popular doesn't mean we should lower our
  standards of quality to include it in a stable release -- users depend on
  us to *support* whatever we ship in stable, so if we don't think we can
  support it, we should avoid giving them that impression in the first
  place;
- the state of the art in packaging for web apps is not exactly stellar, so
  in many cases users are arguably better off /not/ using these apps in
  packaged form.

More persuasive to me than a popcon count would be evidence that wordpress
is not going to cause a disproportionate burden on the security team, and/or
that security support for wordpress isn't going to suffer substantially
because it's given a lower priority by the security team.

So presently, I still don't see any reason to override the security team's
position if they believe this package is not supportable over the lifetime
of a stable release.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Message #36 received at 413269@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413269@bugs.debian.org
Subject: Wordpress in etch
Date: Mon, 5 Mar 2007 18:12:53 +0000
[Message part 1 (text/plain, inline)]
I just confirmed *again* that upstream is committed to supporting
Wordpress 2.0.x until 2010.

So where is the burden to the security team? 

Packages in stable with committed upstream security support is probably
the exception more than the rule. So one would think, like I do, that
Wordpress is in fact a good example of a package to include in a Debian
stable release.
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #41 received at 413269-quiet@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Steve Langasek <vorlon@debian.org>
Cc: Martin Zobel-Helas <zobel@ftbfs.de>, 413269-quiet@bugs.debian.org
Subject: Re: Bug#413269: wordpress: Should not ship with Etch
Date: Mon, 5 Mar 2007 19:20:46 +0100
On Mon, Mar 05, 2007 at 01:30:09AM -0800, Steve Langasek wrote:
> On Sun, Mar 04, 2007 at 01:07:14PM +0100, Martin Zobel-Helas wrote:
> 
> > On Sat Mar 03, 2007 at 21:15:33 +0100, Moritz Muehlenhoff wrote:
> > > Package: wordpress
> > > Severity: serious
> 
> > > On behalf of the Security Team I'm requesting the removal of Wordpress
> > > from Etch. There's a steady flow of security issues being found in
> > > Wordpress and we don't believe it's sanely maintainable over the
> > > course of 30-36 months. (Etch life-time)
> 
> > I can understand jmm from the security side of view. Looking at the
> > popcon count and the overall popularity of wordpress at all, i don't
> > share his opinion.
> 
> Yes, wordpress is popular; but
> 
> - Debian is not the only source for software in the world (I know, shocking,
>   right? :), so not including it in etch doesn't mean users can't have it;
> - just because software is popular doesn't mean we should lower our
>   standards of quality to include it in a stable release -- users depend on
>   us to *support* whatever we ship in stable, so if we don't think we can
>   support it, we should avoid giving them that impression in the first
>   place;
> - the state of the art in packaging for web apps is not exactly stellar, so
>   in many cases users are arguably better off /not/ using these apps in
>   packaged form.

Well put. Also:
- No other GNU/Linux distribution ships Wordpress except Gentoo (who only
  release new upstream versions, we could do the same through volatile)
- Not shipping wordpress is not a regression as it was never part of stable

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Message #44 received at 413269@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413269@bugs.debian.org
Cc: team@security.debian.org, debian-release@lists.debian.org
Subject: Wordpress in etch
Date: Mon, 5 Mar 2007 22:27:00 +0000
[Message part 1 (text/plain, inline)]
As micah suggests I will offer a "firm commitment to actually making
the security updated packages when the hole comes out, and even drafting
the DSA and delivering it to the security team on a silver platter) and
if it becomes untenable I will support the removal"

Below is the last email from upstream confirming support.

Best wishes,

----- Forwarded message from Ryan Boren <ryan@boren.nu> -----

From: Ryan Boren <ryan@boren.nu>
To: Kai Hendry <hendry@iki.fi>
Subject: Re: Etch
Date: Mon, 5 Mar 2007 13:52:27 -0800

On 3/5/07, Kai Hendry <hendry@iki.fi> wrote:
>On 2007-03-05T09:46-0800 Ryan Boren wrote:
>> On 3/5/07, Kai Hendry <hendry@iki.fi> wrote:
>> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413269
>> >If you say you can confirm support 2.0.x Wordpress like you agreed to
>> >before, I can take it from there.
>> We are committed to supporting 2.0.x until 2010.
>I was chatting with one of the guys in debian-security and he suggests
>to seal the deal, that I convince upstream (that's you) *only* to do
>security fixes on the 2.0.x branch. Think we can do that?

Beyond security problems, we typically only fix very high profile bugs
such as the feedburner issue and the bugs leading up to it.  We also
try to preserve forward compatibility with new releases of php, which
can be a pain in the ass.  During normal circumstances, however, 2.0
is strictly security fixes.  We'd had a number of those lately,
unfortunately, but that is due in part to the fact that WordPress
recently has been receiving a huge amount of security audit attention.
We're nearing the point where our security has been picked over by
everyone's fine tooth combs.  After the next release, I think the
security updates should slow down.

>Here the log of my discussion with micah:
>
>
>
>19:24 < Maulkin> hendry: I don't see why it shoudn't be supported. 2.0.x 
>gets security updates only - the work required by the security team is 
>almost none.
>19:25 -!- luk [~luk@d5152B0D4.access.telenet.be] has quit [Ping timeout: 
>480 seconds]
>19:34 -!- SirMoo [moo@hawking.cowsay.de] has quit [Ping timeout: 480 
>seconds]
>19:36 -!- luk [~luk@d5152B0D4.access.telenet.be] has joined #debian-security
>19:36 -!- Netsplit charon.oftc.net <-> unununium.oftc.net quits: madduck, 
>Falco, zobel
>19:38 -!- Netsplit over, joins: zobel, madduck, Falco
>19:57 < hendry> Maulkin: exactly. Was there some debian security conference 
>about this I wasn't invited to?
>19:57 < hendry> the arguments by vorlon and jmm_ are pitiful
>19:59 -!- Frolic [~ederm@tor-irc.dnsbl.oftc.net] has quit [Quit: Saindo]
>20:30 < CIA-1> alec-guest * r5512 /data/CVE/list: tcpdump fixed
>20:47 < micah> hendry: yeah they met in vancouver ;)
>20:48 < micah> hendry: the only thing that makes me concerned about 
>supporting the security in drupal for a couple years is that most of the 
>2.0.x upgrades that fix security issues also fix other issues at the same 
>time, so you would have to isolate the security fixes from those for stable 
>updates
>20:50 < hendry> micah: that's what upstream is keen to do
>20:50 < hendry> no new feature, just security
>20:51 < hendry> in Wordpress btw, not drupal
>20:51 < micah> hendry: i've tracked 2.0.6-2.0.9 and 2.1-2.1.2 and each one 
>of those releases has been done for security reasons and they all had other 
>things crammed in them besides just security fixes
>20:51 < micah> err, sorry I was talking drupal with someone else in another 
>channel ;)
>20:52 < micah> s/drupal/wordpress
>20:53 < hendry> I think that's a little overblown
>20:53 < hendry> but i can't recall the exact 2.0.8-2.0.9 diff
>20:55 < micah> I dont think its overblown, if you look at the changelog of 
>each of thsoe you will see
>20:55 < micah> 2.0.6 -> 2.0.7 fixed security issues and feedburner issues
>20:56 < micah> gah, they dont distribute a changelog so its not easy to 
>gather that quickly :)
>20:56  * hendry sighs
>20:56 < hendry> these guys are really trying hard to please Debian
>20:57 < hendry> If I ask them to only support security fixes and not 
>any-other-type-fixes
>20:57 < micah> i'm not against you here, I actually think tht it shouldn't 
>be kicked out
>20:57 < micah> I'm just saying...
>20:58 < hendry> micah: sure
>20:58 < micah> that if they include other fixes than security ones, that 
>means you (or the security team if you slack) has to carve out the security 
>specific things
>20:58 < hendry> i don't want to see that scenario either
>20:58 < hendry> branching their stable branch would be madness
>20:59 < hendry> anyway, I am just feeling the heat here.
>20:59 < hendry> how should I resolve this with vorlon and jmm_ ?
>20:59 < hendry> micah: have you read their arguments on the bug?
>20:59 < micah> i dont know really
>21:00 < hendry> if it is a democracy than my side would win, because a lot 
>more people support inclusion
>21:00 < hendry> though I don't think it works like that here
>21:00 < hendry> ;)
>21:01 < micah> i think convincing them that it will have security support, 
>because you are making a firm committment to making that happen (ie. 
>actually making the security updated packages when the hole comes out, and 
>even drafting the DSA and delivering it to the security team on a silver 
>platter) and if it becomes untenable you'd support the removal
>21:01 < hendry> that sounds fine
>21:02 < hendry> i never really expected debian-security to do my housework 
>anyway ;)
>21:02 < micah> I dont think a democracy is based on what people want, i 
>mean the world would be in a hedonistic, drunken bacchinalia if democracy 
>were ruled by what people really wanted
>21:02 < hendry> micah: then you belittle your common man :)
>21:02 < micah> well I'm not making any deals for jmm/vorlon, I'm just 
>giving you suggestions
>21:02 < micah> or I am exposing my desires
>21:03 < hendry> i had to look up bacchanalia
>21:03 < micah> i think the best thing would be to respond to their concerns 
>they raised in the bug report and reassure them that those concerns will 
>not spill over onto their plate
>21:04 < hendry> bacchanalia sounds kinda good
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #49 received at 413269@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Kai Hendry <hendry@iki.fi>
Cc: 413269@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Wordpress in etch
Date: Mon, 5 Mar 2007 22:16:06 -0800
Security Team,

On Mon, Mar 05, 2007 at 10:27:00PM +0000, Kai Hendry wrote:
> As micah suggests I will offer a "firm commitment to actually making
> the security updated packages when the hole comes out, and even drafting
> the DSA and delivering it to the security team on a silver platter) and
> if it becomes untenable I will support the removal"

> Below is the last email from upstream confirming support.

Is this satisfactory?  Should this bug be closed?

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413269; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #54 received at 413269@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Kai Hendry <hendry@iki.fi>, 413269@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org
Subject: Re: Wordpress in etch
Date: Tue, 6 Mar 2007 23:46:29 +0100
Steve Langasek wrote:
> Security Team,
> 
> On Mon, Mar 05, 2007 at 10:27:00PM +0000, Kai Hendry wrote:
> > As micah suggests I will offer a "firm commitment to actually making
> > the security updated packages when the hole comes out, and even drafting
> > the DSA and delivering it to the security team on a silver platter) and
> > if it becomes untenable I will support the removal"
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

We can't sanely remove a package from a stable release.
 
> > Below is the last email from upstream confirming support.
> 
> Is this satisfactory?  Should this bug be closed?

No, I still believe it's not supportable over the course of a stable
release and has security issue too frequently.
Instead of focusing on each one's pet package we need to look at the
big picture. Maintaining security support for a distribution of the
size of Debian is already difficult enough.

If there's user interest in Wordpress, I recommend to maintain it through
volatile.

EOD for me.

PS: I need to correct my earlier remark. Even Gentoo ceased security support
for Wordpress (and they don't even do backports):
http://bugs.gentoo.org/show_bug.cgi?id=168529

Cheers,
        Moritz



Bug reassigned from package `wordpress' to `tech-ctte'. Request was from "Kai Hendry" <kai.hendry@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: etch, security Request was from "Kai Hendry" <kai.hendry@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413269; Package tech-ctte. Full text and rfc822 format available.

Message #61 received at 413269@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413269@bugs.debian.org
Subject: Wordpress in etch
Date: Wed, 7 Mar 2007 10:09:53 +0000
[Message part 1 (text/plain, inline)]
Users, DDs and I don't agree with Moritz's decision here. Hence I've
reassigned the bug to the Debian Technical Committee for hopefully a
quick ruling.

I tried to resolve the problem again last night, you can read the IRC
log below.

Moritz believes that Wordpress shouldn't be in etch as it is too
vulnerable to security issues and will prove a burden for Debian
security team. Wordpress might be more vulnerable that some other
packages due to PHP and its high use. Though it has excellent committed
support from upstream who currently maintain a stable security 2.0.x
branch for Debian until 2010. So these security issues, if any, will
pose little burden on Debian's security team.

Have a nice day :)

--- Log opened Tue Mar 06 22:51:32 2007
22:51 -!- hendry [~hendry@91.84.53.136] has joined #debian-security
22:51 -!- Irssi: #debian-security: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal]
22:51 -!- Irssi: Join to #debian-security was synced in 2 secs
22:52 < hendry> jmm_: is it just your decision on #413269 or debian-security make a collective decision?
22:52 < jmm_> hendry: security team
22:55 < hendry> i don't like this decision.
22:55 < hendry> gentoo is a bad argument
22:55 < zobel> jmm_: which i still oppose..
22:55 < zobel> with the fact you gave, we could also remove php from etch
22:56 < zobel> looking at the security bugs there are currently around.
22:56 < hendry> jmm_: who else said wordpress shouldn't be in etch?
22:57 < jmm_> hendry: I asked around and noone stepped forward in favour of it
22:58 < hendry> how about asking who opposes it?
22:59 < hendry> moritz, a lot of people want this package
22:59 < hendry> so far all I can see is you opposing it
23:00 < jmm_> hendry: re-read what I wrote about the bug picture
23:00 < jmm_> hendry: s/bug/big
23:00 < hendry> i read it
23:01 < hendry> there is little/no work by the security team to be done. did you read upstream's commitment?
23:03 < jmm_> it's still a significant overhead
23:04 < jmm_> I'm unwilling to discuss over and over again, I have work to do
23:04 < jmm_> unless you convince some other security team member for a clear commitment to support, we can't support it
23:04 < zobel> jmm_: i will now ask for the removal of php in etch! php is much worse maintained than wordpress!
23:05 < jmm_> zobel: bullshit, php is excellently maintained
23:05 -!- faw [~felipe@faw.user.oftc.net] has quit [Quit: Leaving]
23:05 < zobel> so?! it took only 2 month lately to get security patches applied by their maintaiers.
23:07 < jmm_> current php update is ready and only waiting for an m68k build
23:08 < hendry> well, I think will ask ctte for a decision on this too
23:08 < hendry> i don't want to spend any more time on this either
23:09 < zobel> jmm_: you should better work on links2. the security team currently seems not to be able to support this simple package on all architectures...
23:10 < jmm_> zobel: you need to discuss this with skx
23:11 < zobel> jmm_: team@security is primary point of contact for me. and i won't do any further work on that.
23:19 < hendry> ok nn peopl
--- Log closed Tue Mar 06 23:19:12 2007
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413269; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #66 received at 413269@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 413269@bugs.debian.org
Subject: Re: Wordpress in etch
Date: Wed, 07 Mar 2007 12:46:45 +0100
[Message part 1 (text/plain, inline)]
Hi,

I'd like to add a bit of information here.

Recently, Wordpress 2.1.1 has been compromised and an exploit added to
the code. http://wordpress.org/development/2007/03/upgrade-212/
This can happen.

However, upstream solves this by advising everyone to "just upgrade to
2.1.2". Otherwise it stays vague about what is affected: they list "past
3-4 days" as the window, they do not tell the (md5 or sha1) checksums of
the trusted version, nor do they give the exploit code that was added.

They produce no way for me to check whether an existing installation is
affected or not. "Just upgrade".

I'm therefore not convinced that they take security seriously in a way
other than "upgrade to this new fixed version, which contains some other
fixes too", which is exactly not what Debian needs.


Thijs
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `tech-ctte' to `wordpress'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 413269 cloned as bug 413926. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important' from `serious' Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Blocking bugs of 413269 added: 413926 Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#413926; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #79 received at 413926@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 413269@bugs.debian.org
Cc: Kai Hendry <hendry@iki.fi>, team@security.debian.org, debian-release@lists.debian.org, 413926@bugs.debian.org
Subject: Re: Bug#413269: Wordpress in etch
Date: Wed, 7 Mar 2007 14:54:41 -0800
On Tue, Mar 06, 2007 at 11:46:29PM +0100, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> > Security Team,

> > On Mon, Mar 05, 2007 at 10:27:00PM +0000, Kai Hendry wrote:
> > > As micah suggests I will offer a "firm commitment to actually making
> > > the security updated packages when the hole comes out, and even drafting
> > > the DSA and delivering it to the security team on a silver platter) and
> > > if it becomes untenable I will support the removal"
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> We can't sanely remove a package from a stable release.

> > > Below is the last email from upstream confirming support.

> > Is this satisfactory?  Should this bug be closed?

> No, I still believe it's not supportable over the course of a stable
> release and has security issue too frequently.
> Instead of focusing on each one's pet package we need to look at the
> big picture. Maintaining security support for a distribution of the
> size of Debian is already difficult enough.

> If there's user interest in Wordpress, I recommend to maintain it through
> volatile.

This issue has now been referred to the technical committee by Kai.  Given
that unstable has a new upstream version of wordpress relative to testing, I
believe the correct course of action is as follows:

- treat this bug as a blocker for etch (RC bug on wordpress), but do not act
  immediately to remove the package from testing, giving the TC time to
  consider the question of overruling the security team
- if the TC does not render a decision before the etch release, the release
  team will proceed with removing this package from etch according to the
  request of the security team.

I've cloned & twiddled this bug to reflect this.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Bug reassigned from package `wordpress' to `tech-ctte'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Message #84 received at 413926@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 413926@bugs.debian.org, thijs@debian.org
Subject: Extra FUD cleanup
Date: Thu, 8 Mar 2007 11:34:08 +0000
[Message part 1 (text/plain, inline)]
Hi Thijs,

Wordpress does publish md5sums:
http://wordpress.org/download/release-archive/

Btw 2.1.x is an unstable branch. The Wordpress stable branch 2.0.x is
for etch, hopefully. So I like to think 2.0.x of being on topic, not so
much 2.1.x.

Though lets address your concerns for 2.1.x. Upstream took the "just
upgrade" path with 2.1.2 as it is dealing largely with a non-technical
audience.

Quoting Mark Jaquith: """ But ultimately, even without another security
vulnerability necessitating a new release, it probably still would have
been a good idea.  We're dealing with a mostly non-technical audience
here, and bumping the version number is a sure way for people to know if
they are vulnerable or not with 100% certainty and no technical
skill."""

If you're really interested in the exploit view the Debian Wordpress
changelog for the ticket number.

I would like to add that many of these security issues are quite minor
and exaggerated. Any questions? Please get in touch with me.

Best wishes from Cornwall,
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #89 received at 413926@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Kai Hendry <hendry@iki.fi>
Cc: 413926@bugs.debian.org
Subject: Re: Extra FUD cleanup
Date: Thu, 08 Mar 2007 18:50:12 +0100
[Message part 1 (text/plain, inline)]
Hi Kai,

> Wordpress does publish md5sums:
> http://wordpress.org/download/release-archive/
> 
> Btw 2.1.x is an unstable branch. The Wordpress stable branch 2.0.x is
> for etch, hopefully. So I like to think 2.0.x of being on topic, not so
> much 2.1.x.

Thanks for the clarification.

I've been doing quite some security updates for packages like wordpress
that have many security issues and where upstream was not quite
cooperative. I'm therefore interested in getting the right decision made
on wordpress support, not per se any particular one, but one based on as
many facts as possible.

When these facts turn out to have a good explanation, all the better of
course.

| This is the unstable branch

You have uploaded 2.1.x to Debian, so you expect this unstable branch to
become stable before lenny is released?

| MD5 sums are published

Good. Those weren't referenced though from the security announcement. It
would have taken some searching to find them. Also I still can't find an
example of the exploit code that was inserted. Appearently more
information is available but needs to be researched. I'd advise upstream
to just say clearly in their announcement how to diagnose the problem.

I'm not entirely convinced about the handling of this by upstream, but
given the combination of a development version and that the information
is at least somewhere to be found, I think this is acceptable after some
explanation.

I'm not too happy though with your reference to "FUD" which in my view
implies malicious intent on my side. I hope that was not intended that
way.

thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Mark Brown <broonie@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #94 received at 413926@bugs.debian.org (full text, mbox):

From: Mark Brown <broonie@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 413926@bugs.debian.org
Cc: Kai Hendry <hendry@iki.fi>
Subject: Re: Bug#413926: Extra FUD cleanup
Date: Thu, 8 Mar 2007 19:14:14 +0000
[Message part 1 (text/plain, inline)]
On Thu, Mar 08, 2007 at 06:50:12PM +0100, Thijs Kinkhorst wrote:

> would have taken some searching to find them. Also I still can't find an
> example of the exploit code that was inserted. Appearently more

There is an advisory from Ivan Fratric with details of the problem:

	http://ifsec.blogspot.com/2007/03/wordpress-code-compromised-to-enable.html

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Neil McGovern <neilm@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #99 received at 413926@bugs.debian.org (full text, mbox):

From: Neil McGovern <neilm@debian.org>
To: 413926@bugs.debian.org
Subject: Wordpress removal comments
Date: Fri, 9 Mar 2007 15:38:22 +0000
[Message part 1 (text/plain, inline)]
Hi -ctte and bug followers,

I released the last (and only) two security advisories for wordpress,
DTSA-33-1[0] and DTSA-34-1[1], so I thought it may be useful for me to
comment on this bug.

(After writing this mail, I realise it's rather long... so there's a
short summary at the end, marked by [summary])


First, I'd like to give my general opinion of Wordpress: it's security
support from upstream, and the responsiveness of upstream and the Debian
maintainer for security issues.

Upstream has committed to supporting Wordpress 2.0.x for just security
updates until 2010:
  "As a reminder, we’ve committed to proving security updates to 2.0
  through 2010, but all new features and development are going into the
  newer branch, which is at this time 2.1."
  http://wordpress.org/development/2007/02/new-releases/
This is the way we apply fixes for security in Debian, and has meant
that the updates I've issued have been drop in replacements using the
vanilla versions from upstream. (To avoid doubt, the packages released
were created by the maintainer, and are simply use the new upstream
version)

Both upstream and the maintainer are nice and responsive to all issues.
Upstream has responded very well to queries and comments, and the
maintainer is quick to answer questions and help check which
vulnerabilities affect which versions of Wordpress.


Secondly some general comments, partially from the issues raised in this
bug report.

Wordpress isn't the most secure package in Debian, but it's certainly
not the worst in comparison to other packages. Below is the "Top 20
packages in Debian, sorted by number of CVE-IDs assigned to them":

Position    CVE-IDs     Package
--------    -------     -------
1           285         linux-2.6
2           173         mozilla
3           148         mozilla-firefox
4           131         kernel-source-2.4.27
5           109         firefox
6           103         ethereal
7           91          php4
8           86          xulrunner
9           68          thunderbird
10          63          phpbb2
11          62          mozilla-thunderbird
12          58          php5
13          48          iceweasel
14          46          bugzilla
15          46          apache2
16          45          phpmyadmin
17          43          wordpress
18          37          moodle
19          35          squid
20          35          mantis

Wordpress here comes in at number 17: lower than mozilla products, which
are a complete PAIN to provide support for, and phpbb2 which is rather
infamous for it's (lack of) security.

The fixes that have come in from upstream and the packages from the
maintainer are fairly clean, and haven't been modified for the security
announcement (apart from a changelog entry, and a rebuild to check it's
all ok).
The time taken to do these has been very low compared to most other
fixes that have had to be implemented, which is also aided by thsi being
arch-indep so not requiring the buildds to play with it.
Each additional package release is a little bit more work, but
(certainly using the unembargoed queue) takes less than 10 minutes per
package from getting the source provided by the maintainer, and
releasing the advisory.


Now, I'm not a member of the stable security team, so I can't comment on
how they wish to work. If Wordpress is dropped from etch, I'm happy to
see it continue in Lenny/volitile, as it's been very easy to provide
security support for it from my PoV. If it continues, I'm happy to
prepare advisories and updates through security.debian.org (providing
lenny updates myself, and etch in collaboration with team@s.d.o).


Ultimately, IMO it's an issue for the stable security team.

Hope this helps,
Neil


[summary]
* Upstream are very helpful, want to work with us, and release new
  versions in a way which is very compatable with Debain Security
  practices.
* Both upstream and the maintainer are responsive and handle security
  issues in a timely manner.
* Wordpress isn't the most secure application out there, but it's not
  too bad.
* The actual fixes aren't a problem, and are simple to understand. The
  regularity of them may be an issue, but could be helped by the
  maintainer preparing packages/DSA texts.

[0] http://lists.alioth.debian.org/pipermail/secure-testing-announce/2007-February/000032.html
[1] http://lists.alioth.debian.org/pipermail/secure-testing-announce/2007-March/000033.html
-- 
<mooch> If stockhom sees my banana, he will want to eat it
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #104 received at 413926@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 413926@bugs.debian.org
Subject: Re: wordpress: Should not ship with Etch
Date: Mon, 12 Mar 2007 01:30:14 -0700
Sorry to be a queue-jumper, but I'd like to see the TC address this
wordpress question quickly so that the release team doesn't have to make a
decision by default for etch while the TC is deliberating (or sleeping, as
the case may be :-).

In <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413926;msg=99>, Neil
McGovern seems to make a good point that wordpress's security track record
is comparable to that of other web apps in the same category, such as
phpmyadmin, moodle, phpbb2, and bugzilla.

However, on closer examination, the source data that Neil used here
(svn://svn.debian.org/svn/secure-testing/data/CVE/list) covers *all*
historical CVEs dating back to 1999.  This means that, while the history for
phpbb2 and bugzilla includes CVE entries dating back to 2002, and the
history for phpmyadmin stretches back to 2001, the earliest CVE for
wordpress, a comparatively young piece of software, is CVE-2004-1559.
Viewed this way, wordpress definitely appears to have one of the /highest/
rates of security holes for webapps of its class.  If the security team
believes this is likely to remain the case, then it seems perfectly
reasonable to me that they would not want the package to be included in a
stable release.

FWIW, I also took a look at some popcon numbers for these webapps, and
here's what I found for number of reported installs:

  phpmyadmin: 3504
  wordpress: 245
  phpbb2: 197
  bugzilla: 148

So that makes wordpress somewhat middle-of-the-road by this metric.  But of
course, almost all of the packages with higher CVE counts, in addition to
having longer histories, also have much longer install bases -- packages
like the kernel, the web browsers, apache2, ethereal, and php4.

I would conclude here that there's insufficient grounds for overriding the
security team's decision.

Does anyone disagree or think more information is needed, or should I
propose a vote?

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #109 received at 413926@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: debian-ctte@lists.debian.org, 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Tue, 13 Mar 2007 01:46:45 +1000
[Message part 1 (text/plain, inline)]
On Mon, Mar 12, 2007 at 01:30:14AM -0700, Steve Langasek wrote:
> However, on closer examination, the source data that Neil used here
> (svn://svn.debian.org/svn/secure-testing/data/CVE/list) covers *all*
> historical CVEs dating back to 1999.  This means that, while the history for
> phpbb2 and bugzilla includes CVE entries dating back to 2002, and the
> history for phpmyadmin stretches back to 2001, the earliest CVE for
> wordpress, a comparatively young piece of software, is CVE-2004-1559.

Dividing by years gives:

CVEs Earliest Years CVEs/Year

  43     2004     3      14.3  wordpress
  63     2002     5      12.6  phpbb2
  37     2004     3      12.3  moodle
  46     2002     5       9.2  bugzilla
  45     2001     6       7.5  phpmyadmin

> Viewed this way, wordpress definitely appears to have one of the /highest/
> rates of security holes for webapps of its class.

14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
a difference to me.

I'm not sure that bug counts like this are really useful though -- they
don't measure the severity of the problems, and could be indicative of
popular code that's being regularly fixed as much as low quality code
that's being regularly broken.

> FWIW, I also took a look at some popcon numbers for these webapps, and
> here's what I found for number of reported installs:
>   phpmyadmin: 3504
>   wordpress: 245
>   phpbb2: 197
>   bugzilla: 148

Of those packages, wordpress was the only one not released with sarge, so I
don't think the numbers are readily comparable.

moodle was also released with sarge, and has a popcon count of 71, afaics.

We seem to have a statement of support from upstream, and an endorsement
from Neil that it's been supportable as far as testing-security was
concerned, as well as from Martin Zobel-Helas who's one of the stable
release managers, so I can't see the need to decline to release it.

I'd consider it the maintainer's and RMs' call though.

(We've removed packages from stable releases in the past, as well, so I
don't see why that option's been ruled out either. Equally, we've added
packages to stable releases in the past, so if Martin wanted to exercise
his prerogative as SRM and add it back in in r1, he could, afaics)

Cheers,
aj

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #114 received at 413926@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: debian-ctte@lists.debian.org
Cc: 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Mon, 12 Mar 2007 21:21:35 +0100
* Anthony Towns:

>> Viewed this way, wordpress definitely appears to have one of the /highest/
>> rates of security holes for webapps of its class.
>
> 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
> a difference to me.
>
> I'm not sure that bug counts like this are really useful though -- they
> don't measure the severity of the problems, and could be indicative of
> popular code that's being regularly fixed as much as low quality code
> that's being regularly broken.

Unfortuantely, our severity ratings aren't very good (this covers only
bugs from 2005 onwards):

moodle|low|5
moodle|medium|4
moodle|unimportant|5
moodle|unknown|9
phpbb2|high|1
phpbb2|low|4
phpbb2|medium|5
phpbb2|unimportant|16
phpbb2|unknown|15
wordpress|high|1
wordpress|low|5
wordpress|medium|7
wordpress|unimportant|11
wordpress|unknown|15

Apart from that, I'm not sure how much meaning we should attach to
these numbers, even if we had a higher number of vulnerabilities and
more rigorous analysis of each one.  (For instance, #363580 is
apparently not included in the counts above.)

From a software quality point of view, wordpress shares many of the
design flaws typically found in PHP applications.  For instance, it
does not use prepared statements, and consequently does not separate
SQL statements and their parameters in a way that can be audited in a
straightforward manner:

wp-includes/registration.php: return $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_email = '$email'");

The function that guards $email against malicious characters is
contained in the file wp-includes/formatting.php, without any hint
that it is security-relevant.

In another case, it's less clear if it's impossible to inject SQL via
the configuration option "start_of_week".

wp-includes/general-template.php: $arcresults = $wpdb->get_results("SELECT DISTINCT WEEK(post_date, $start_of_week) AS `week`, YEAR(post_date) AS yr, DATE_FORMAT(post_date, '%Y-%m-%d') AS yyyymmdd, count(ID) as posts FROM $wpdb->posts WHERE post_type = 'post' AND post_status = 'publish' GROUP BY WEEK(post_date, $start_of_week), YEAR(post_date) ORDER BY post_date DESC" . $limit);

AFAICS, that option is not properly sanitized when it is being set.

Wordpress includes a private copy of ezSQL (LGPLed, according to an
extremly brief statement by upstream), without proper attribution in
the debian/copyright file.

But all that can be considered best current practice, so to speak, and
should not necessarily be a reason to exclude a package from a stable
release.  There might be non-technical concerns regarding the promises
of security support or the maintenance status in Debian, but I'm not
qualified to judge that.



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #119 received at 413926@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: debian-ctte@lists.debian.org
Cc: 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Mon, 12 Mar 2007 22:02:30 +0100
* Florian Weimer (fw@deneb.enyo.de) [070312 21:22]:
> But all that can be considered best current practice, so to speak, and
> should not necessarily be a reason to exclude a package from a stable
> release.  There might be non-technical concerns regarding the promises
> of security support or the maintenance status in Debian, but I'm not
> qualified to judge that.

After carefull reading of this and the other messages, I tend to come to
this conclusion:

1. Wordpress is no worse than lots of other php applications, and I
don't think we want to do a mass-removal of php applications now. I also
don't think we should discriminate wordpress relative to other php
applications.
2. Wordpress per se is security supportable. Neil has worked within the
testing security team for some time, and I don't see reasons why he
shouldn't be trusted for being able to help with security support for
stable as well (Other peoples might have superior knowledge - if so,
please share it with me).
3. We require that applications are "security supportable". So,
concluding from 1 and 2, this criteria seems to be fullfiled for
wordpress.

Under these conclusions, I tend to the following resolution:
1. We thank Moritz Muehlenhoff for bringing issues with wordpress to our
attention.
2. We thank Neil McGovern for offering security support for wordpress
during Etch's lifetime.
3. We consider Neils offer mature enough to not consider wordpress
failing the release policys "Packages in the archive must not be so
buggy [...] we refuse to support them."[1].
4. We recommend the release team to consider the same, and adjust the
bug's severity.

[1] http://release.debian.org/etch_rc_policy.txt


Cheers,
Andi
-- 
  http://home.arcor.de/andreas-barth/



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #124 received at 413926@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Mon, 12 Mar 2007 14:46:57 -0700
On Tue, Mar 13, 2007 at 01:46:45AM +1000, Anthony Towns wrote:
> Dividing by years gives:

> CVEs Earliest Years CVEs/Year

>   43     2004     3      14.3  wordpress
>   63     2002     5      12.6  phpbb2
>   37     2004     3      12.3  moodle
>   46     2002     5       9.2  bugzilla
>   45     2001     6       7.5  phpmyadmin

> > Viewed this way, wordpress definitely appears to have one of the /highest/
> > rates of security holes for webapps of its class.

> 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
> a difference to me.

Sure.  I'm not arguing that I would have made the same decision as the
security team in their place, I just think that there's insufficient
evidence to support overriding their decision.

> I'm not sure that bug counts like this are really useful though -- they
> don't measure the severity of the problems, and could be indicative of
> popular code that's being regularly fixed as much as low quality code
> that's being regularly broken.

Indeed, standing alone a bug count can equally suggest a thorough audit or a
terribly buggy piece of software.  As the folks doing the backports of
security fixes for wordpress, aren't the security team best positioned to
know which applies here?

> > FWIW, I also took a look at some popcon numbers for these webapps, and
> > here's what I found for number of reported installs:
> >   phpmyadmin: 3504
> >   wordpress: 245
> >   phpbb2: 197
> >   bugzilla: 148

> Of those packages, wordpress was the only one not released with sarge, so I
> don't think the numbers are readily comparable.

Fair enough.

> We seem to have a statement of support from upstream, and an endorsement
> from Neil that it's been supportable as far as testing-security was
> concerned, as well as from Martin Zobel-Helas who's one of the stable
> release managers, so I can't see the need to decline to release it.

I give a lot of weight to concerns expressed by the security team.  Granted,
they don't get to pick their bugs, and it would be unreasonable for the
security team to throw out, say, all packages that had ever had security
bugs, or to decline to support all packages of Priority optional or lower
due to lack of manpower; but I think the difference between "this package is
bound to have security issues because it's large and addresses a difficult
problem space", and "this package is bound to have security issues because
its very poorly designed or has atypically low standards for acceptance of
contributions" is relevant.  It's my impression that the security team's
objections to wordpress stem from a belief that it lies in the latter
category.

> I'd consider it the maintainer's and RMs' call though.

Ok, does that mean you agree the TC should not override any decisions here?

Hmm -- if it's the RMs' call, I guess that means Andi and I both are
required to abstain from any vote on this (Constitution 6.3.2).  Is it still
ok for me to call for a vote? :)  (FWIW, as RM the decision I consider to
have made is "defer to the judgement of the security team", so I guess the
TC does have a choice on who to overrule...)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #129 received at 413926@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Wed, 14 Mar 2007 23:14:02 +0100
Hi,

[I lack the time to comment extensively, just some brief comments.
 This will likely be last post in this buglog]

Steve Langasek wrote:
> On Tue, Mar 13, 2007 at 01:46:45AM +1000, Anthony Towns wrote:
> > Dividing by years gives:
> 
> > CVEs Earliest Years CVEs/Year
> 
> >   43     2004     3      14.3  wordpress
> >   63     2002     5      12.6  phpbb2
> >   37     2004     3      12.3  moodle
> >   46     2002     5       9.2  bugzilla
> >   45     2001     6       7.5  phpmyadmin
> 
> > > Viewed this way, wordpress definitely appears to have one of the /highest/
> > > rates of security holes for webapps of its class.
> 
> > 14 bugs per year versus 12 for moodle and phpbb2 doesn't seem that big
> > a difference to me.
> 
> Sure.  I'm not arguing that I would have made the same decision as the
> security team in their place, I just think that there's insufficient
> evidence to support overriding their decision.

A major difference is that all other packages are already present in stable and
removing them would be a regression for our users. Also, phpbb2 has
improved significantly in their production branch and the maintainer is
doing very well.
 
I'd also like to remind that moving wordpress to volatile doesn't make it
a second-class package! It just means that a package is not suitable for
36 month release cycles. Even the wordpress update Neil provided for testing
from the 2.0 maintenance release included several non-security fixes. It's
also extremely likely that Wordpress will require new countermeasures for blog
comment spam etc. If Neil updates wordpress in volatile, it can be maintained
with the wordpress 2.0 branch as far as possible and if that fails it can
be updated to a new upstream version. I'm willing to provide security information
about new vulnerabilites like for any other package in the archive and assist
as far as my time permits.

Kai, I'm very irritated about your behaviour. Quotes like
>19:57 < hendry> the arguments by vorlon and jmm_ are pitiful
or calling Thijs' arguments FUD are not acceptable in a technical
discussion. Having been your AM I would have expected better.

To the core of the problem: Several web applications have similar problems
and security support for them will need to be re-evaluated for Lenny. I'm
willing to discuss such criteria at DebConf with interested parties.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to moth@debian.org:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #134 received at 413926@bugs.debian.org (full text, mbox):

From: "Raul Miller" <moth.debian@gmail.com>
To: "Steve Langasek" <vorlon@debian.org>, 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Sat, 17 Mar 2007 10:48:59 -0400
On 3/12/07, Steve Langasek <vorlon@debian.org> wrote:
> Hmm -- if it's the RMs' call, I guess that means Andi and I both are
> required to abstain from any vote on this (Constitution 6.3.2).  Is it still
> ok for me to call for a vote? :)  (FWIW, as RM the decision I consider to
> have made is "defer to the judgement of the security team", so I guess the
> TC does have a choice on who to overrule...)

I can think of no reason [constitutional or otherwise] why you should not be
allowed to call for a vote for the rest of the committee to
[potentially] override
you.

-- 
Raul



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #139 received at 413926@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 413926@bugs.debian.org
Subject: Call for vote: wordpress: Should not ship with Etch
Date: Sun, 25 Mar 2007 19:27:13 -0700
On Sat, Mar 17, 2007 at 10:48:59AM -0400, Raul Miller wrote:
> On 3/12/07, Steve Langasek <vorlon@debian.org> wrote:
> >Hmm -- if it's the RMs' call, I guess that means Andi and I both are
> >required to abstain from any vote on this (Constitution 6.3.2).  Is it 
> >still
> >ok for me to call for a vote? :)  (FWIW, as RM the decision I consider to
> >have made is "defer to the judgement of the security team", so I guess the
> >TC does have a choice on who to overrule...)

> I can think of no reason [constitutional or otherwise] why you should not be
> allowed to call for a vote for the rest of the committee to
> [potentially] override
> you.

So we've been discussing within the release team the decision whether to
treat the security team's request as RC, and we're split on the question;
the decision has been made that the release team will instead refer this
decision to the TC under 6.1.3 of the constitution.

Since that makes this a referred decision rather than an override, a simple
majority should therefore be sufficient to decide in either direction.
Further, it's my understanding that there's no requirement for Andi or I to
abstain.  (Not that I think it's likely to affect the vote outcome, given
that we were split on the question to begin with. ;)

Following is a ballot for the question of bug #413926.  I've drafted two
separate ballot options to allow the TC to vote the full range of
preferences under Condorcet; hopefully, 'further discussion' will rank low
on everyone's ballots anyway. :)  As far as I'm concerned no verbose
resolution is needed here, feel free to consider the one-line description to
be the full text of the resolution.

I'm calling for an immediate vote, in the hopes that this decision can be
made without impact to the etch release timeline.

  In the brackets next to your preferred choice, place a 1. Place a 2 in
  the brackets next to your next choice.  Continue until you reach your last
  choice.  Do not enter a number smaller than 1 or larger than 3.  You may
  skip numbers.  You may rank options equally (as long as all choices X you
  make fall in the range 1 <= X <= 3).

  To vote "no, no matter what" rank "Further discussion" as more
  desirable than the unacceptable choices, or You may rank the "Further
  discussion" choice, and leave choices you consider unacceptable
  blank. Unranked choices are considered equally the least desired
  choices, and ranked below all ranked choices. (Note: if the Further
  Discussion choice is unranked, then it is equal to all other unranked
  choices, if any.)

- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
[   ] Choice 1: wordpress should not be included in etch due to bug #413269
[   ] Choice 2: wordpress should be included in etch in spite of bug #413269
[   ] Choice 3: Further discussion
- - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-


Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <aj@azure.humbug.org.au>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #144 received at 413926@bugs.debian.org (full text, mbox):

From: Anthony Towns <aj@azure.humbug.org.au>
To: 413926@bugs.debian.org
Subject: Re: Bug#413926: Call for vote: wordpress: Should not ship with Etch
Date: Mon, 26 Mar 2007 12:53:46 +1000
[Message part 1 (text/plain, inline)]
On Sun, Mar 25, 2007 at 07:27:13PM -0700, Steve Langasek wrote:
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
> [ 2 ] Choice 1: wordpress should not be included in etch due to bug #413269
> [ 1 ] Choice 2: wordpress should be included in etch in spite of bug #413269
> [ 3 ] Choice 3: Further discussion
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

Rationale: Neil McGovern [0] has indicated it should be supportable,
having already done testing-security support for it, and Kai Hendy as
the non-DD Debian maintainer has indicated both he and upstream [1]
are expecting to continue support the package. That seems sufficient to
count the package as security supportable for etch to me.

As far as advising versus overruling goes, I think inclusion in etch is
the RMs' decision, and without an opinion from them, we've got a case
of "Developers' jurisdictions overlap" so rather than trying to work
out whether it's fair to overrule the security team or the maintainer
(both of which I'd rather not), I'm just giving my opinion on what's
the best course of action.

Cheers,
aj

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413926;msg=99
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413926;msg=44
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #149 received at 413926@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 413926@bugs.debian.org
Subject: Re: Bug#413926: Call for vote: wordpress: Should not ship with Etch
Date: Sun, 25 Mar 2007 20:58:58 -0700
[Message part 1 (text/plain, inline)]
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
> [ 1 ] Choice 1: wordpress should not be included in etch due to bug #413269
> [ 2 ] Choice 2: wordpress should be included in etch in spite of bug #413269
> [ 3 ] Choice 3: Further discussion
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

Rationale: the security team are domain experts when it comes to questions
of code quality vis-à-vis security; even with a guarantee that developer
time will be available for preparation of DSAs, it is reasonable to exclude
packages based on estimates of the number of security fixes a package will
require over the course of a stable release cycle.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <ian@davenant.greenend.org.uk>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #154 received at 413926@bugs.debian.org (full text, mbox):

From: Ian Jackson <ian@davenant.greenend.org.uk>
To: 413926@bugs.debian.org
Subject: Re: Bug#413926: Call for vote: wordpress: Should not ship with Etch
Date: Mon, 26 Mar 2007 12:02:34 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Langasek writes ("Bug#413926: Call for vote: wordpress: Should not ship with Etch"):
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
> [ 1 ] Choice 1: wordpress should not be included in etch due to bug #413269
> [ 2 ] Choice 2: wordpress should be included in etch in spite of bug #413269
> [ 3 ] Choice 3: Further discussion
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

I have found this a difficult decision but I don't think waiting any
longer is going to help.  I'm marginally leaning towards not allowing
it, so that's how I'm voting.

Ian.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQCVAwUBRgeoR8MWjroj9a3bAQIc5gP+M+o1dFL64E8+CsNJ8jcJ4tMwRzb/lxsT
DhjnDm6/xD8lsu+BdZdivsTyu2jXYJAyXBfBGob+I4+0Uq67Cxhh6+yj8JnH0/GO
ZhcfD9DHWMUGo/9yWidz8M34md3ddZJolSGNl3h6SWcdTq62/v1UxtCND2k3sO6X
MY1HXH2Gs0M=
=QsWQ
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #159 received at 413926@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: Steve Langasek <vorlon@debian.org>
Cc: 413926@bugs.debian.org
Subject: Re: Bug#413926: Call for vote: wordpress: Should not ship with Etch
Date: Mon, 26 Mar 2007 20:32:41 -0600
vorlon@debian.org (Steve Langasek) writes:

> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
> [ 2 ] Choice 1: wordpress should not be included in etch due to bug #413269
> [ 1 ] Choice 2: wordpress should be included in etch in spite of bug #413269
> [ 3 ] Choice 3: Further discussion
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

I am unconvinced that wordpress is more likely to have future security issues,
or that they would be harder to resolve, than many other packages in etch.

Bdale



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #164 received at 413926@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: debian-ctte@lists.debian.org, 413926@bugs.debian.org
Subject: Re: Bug#413926: Call for vote: wordpress: Should not ship with Etch
Date: Tue, 27 Mar 2007 00:32:44 -0500
[Message part 1 (text/plain, inline)]
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
> [ 2 ] Choice 1: wordpress should not be included in etch due to bug #413269
> [ 1 ] Choice 2: wordpress should be included in etch in spite of bug #413269
> [ 3 ] Choice 3: Further discussion
> - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-

        At this point, I have to decide between the prognostications
 of a security team member, versus the opinions of the debian
 maintainer and upstream's commitment to support.  I tend to also
 consider the maintainers to be domain experts as far as their package
 is concerned, which counters the security team being domain experts
 in security issues and solutions.

        Additionally, lacking specifics, I would tend to let decisions
 of non-bugginess to the point of being unsupportable to lie with the
 maintainers, since they would have to support the package, so I am
 voting the way I did.

        manoj
-- 
It's better to burn out than it is to rust.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #169 received at 413926@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 413926@bugs.debian.org, 413269-done@bugs.debian.org
Subject: Results of technical committee vote
Date: Tue, 27 Mar 2007 00:09:19 -0700
[Message part 1 (text/plain, inline)]
With six of seven committee members having voted, there is a definite
Condorcet winner and the outcome of the vote is no longer in doubt under
6.3.1 of the constitution.  While I'm sure we'd all welcome Raul's thoughts
on the question, and by my reading any member of the TC is still allowed to
change their vote for up to a week after the call for votes, I don't think
there's any harm in proceeding according to this provisional outcome.  If
any further votes are received, I'll respin this report at the end of the
week; and I'll wait for the week to be up before requesting changes to
<http://www.debian.org/devel/tech-ctte>. but I will go ahead and close bug
#413269 with this mail.

     Option 1--->: wordpress should not be included in etch due to bug #413269
   /  Option 2-->: wordpress should be included in etch in spite of bug #413269
   |/  Option 3->: Further discussion
   ||/
V: 213	Andreas Barth
V: 213  Anthony Towns
V: 213	Bdale Garbee
V: 123	Ian Jackson
V: 213	Manoj Srivastava
V: 123	Steve Langasek

In the following table, tally[row x][col y] represents the votes that
option x received over option y.

Option 1 "wordpress should not be included in etch due to bug #413269"
Option 2 "wordpress should be included in etch in spite of bug #413269"
Option 3 "Further discussion"

            Option
          1   2   3
          =   =   =
Option 1      2   6
Option 2  4       6
Option 3  0   0    

Option 2 defeats Option 1 by (4 - 2) = 2 votes.
Option 1 defeats Option 3 by (6 - 0) = 6 votes.
Option 2 defeats Option 3 by (6 - 0) = 6 votes.

The Schwartz contains:
	Option 2 "wordpress should be included in etch in spite of bug #413269"

The winner is:
	Option 2 "wordpress should be included in etch in spite of bug #413269"

So the decision of the Technical Committee is to include wordpress in etch
in spite the objections of the Security Team; bug #413269 is no longer
release-critical for etch.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to "焕顺李" <toplinuxsir@gmail.com>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #174 received at 413926@bugs.debian.org (full text, mbox):

From: "焕顺李" <toplinuxsir@gmail.com>
To: "Bdale Garbee" <bdale@gag.com>, 413926@bugs.debian.org
Subject: Re: Bug#413926: Call for vote: wordpress: Should not ship with Etch
Date: Tue, 27 Mar 2007 15:14:27 +0800
wordpress should not be included in etch due to bug #413269

2007/3/27, Bdale Garbee <bdale@gag.com>:
> vorlon@debian.org (Steve Langasek) writes:
>
> > - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
> > [ 2 ] Choice 1: wordpress should not be included in etch due to bug #413269
> > [ 1 ] Choice 2: wordpress should be included in etch in spite of bug #413269
> > [ 3 ] Choice 3: Further discussion
> > - - -=-=-=-=-=- Don't Delete Anything Between These Lines =-=-=-=-=-=-=-=-
>
> I am unconvinced that wordpress is more likely to have future security issues,
> or that they would be harder to resolve, than many other packages in etch.
>
> Bdale
>
>
> --
> To UNSUBSCRIBE, email to debian-ctte-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to moth@debian.org:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #179 received at 413926@bugs.debian.org (full text, mbox):

From: "Raul Miller" <moth.debian@gmail.com>
To: "Steve Langasek" <vorlon@debian.org>, 413926@bugs.debian.org
Subject: Re: Bug#413926: Results of technical committee vote
Date: Thu, 29 Mar 2007 00:46:42 -0400
I apologize for not voting, but while I generally concur with
the voted decision, I have not had time to study any of
our issues in any depth these last couple weeks.

Thanks,

-- 
Raul



Information forwarded to debian-bugs-dist@lists.debian.org, Technical Committee <debian-ctte@lists.debian.org>:
Bug#413926; Package tech-ctte. Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. Copy sent to Technical Committee <debian-ctte@lists.debian.org>. Full text and rfc822 format available.

Message #184 received at 413926@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: debian-ctte@lists.debian.org
Cc: 413926@bugs.debian.org
Subject: Re: Bug#413926: wordpress: Should not ship with Etch
Date: Thu, 29 Mar 2007 10:39:06 -0400
>>>>> "Anthony" == Anthony Towns <aj@azure.humbug.org.au> writes:

    Anthony> Dividing by years gives:

    Anthony> CVEs Earliest Years CVEs/Year

    Anthony>   43 2004 3 14.3 wordpress 63 2002 5 12.6 phpbb2 37 2004
    Anthony> 3 12.3 moodle 46 2002 5 9.2 bugzilla 45 2001 6 7.5
    Anthony> phpmyadmin

    >> Viewed this way, wordpress definitely appears to have one of
    >> the /highest/ rates of security holes for webapps of its class.

    Anthony> 14 bugs per year versus 12 for moodle and phpbb2 doesn't
    Anthony> seem that big a difference to me.

    Anthony> I'm not sure that bug counts like this are really useful
    Anthony> though -- they don't measure the severity of the
    Anthony> problems, and could be indicative of popular code that's
    Anthony> being regularly fixed as much as low quality code that's
    Anthony> being regularly broken.

While I'm not on the TC, I'd like to second the point here that
looking at bug counts here isn't really the right picture.

I work on MIt Kerberos for my day job.  We get a lot of complaints
that MIT Kerberos has a worse security track record than Heimdal
because we've had more security advisories.

However almost all these security advisories are from code inspection
and auditing not from exploits.  We could (but ethically will not)
just ignore these issues or try and slip them into future releases to try and improve our security track record.

However, without knowing whether similar auditing is going on against
other products, or knowning how many people are looking, number of
security incidents per time may not be a good description of how buggy
code is.

--Sam




Reply sent to bdale@gag.com (Bdale Garbee):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #189 received at 413926-done@bugs.debian.org (full text, mbox):

From: bdale@gag.com (Bdale Garbee)
To: 413926-done@bugs.debian.org
Subject: decided
Date: Mon, 9 Apr 2007 23:09:54 -0600 (MDT)
Closing this bug as the question decided by the TC has now been documented on
the TC web page.

Bdale



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 20:40:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 19:58:04 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.