Debian Bug report logs - #506402
ircd-hybrid: Option can_flood is not correctly enforce

version graph

Package: ircd-hybrid; Maintainer for ircd-hybrid is Dominic Hargreaves <dom@earth.li>; Source for ircd-hybrid is src:ircd-hybrid.

Reported by: Denis Sacchet <spam@ouba.org>

Date: Fri, 21 Nov 2008 08:18:01 UTC

Severity: important

Tags: confirmed, patch, upstream

Found in version 7.2.2.dfsg.2-3

Fixed in version ircd-hybrid/1:8.0.4.dfsg.1-1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joshua Kwan <joshk@triplehelix.org>:
Bug#506402; Package ircd-hybrid. (Fri, 21 Nov 2008 08:18:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Denis Sacchet <spam@ouba.org>:
New Bug report received and forwarded. Copy sent to Joshua Kwan <joshk@triplehelix.org>. (Fri, 21 Nov 2008 08:18:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Denis Sacchet <spam@ouba.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ircd-hybrid: Option can_flood is not correctly enforce
Date: Fri, 21 Nov 2008 09:13:04 +0100
[Message part 1 (text/plain, inline)]
Package: ircd-hybrid
Version: 7.2.2.dfsg.2-3
Severity: important
Tags: patch

In the code, the wrong macro is used to verify if a specific user has
the can_flood flag set.

The attached patch corrects this behaviour. It is a dpatch you just have
to put in debian/patches directory.

Best regards

Denis Sacchet

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21.1dedibox-r7
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
[19_can_flood.dpatch (application/x-shellscript, attachment)]

Reply sent to Joerg Jaspert <joerg@debian.org>:
You have taken responsibility. (Fri, 28 Nov 2008 11:45:09 GMT) Full text and rfc822 format available.

Notification sent to Denis Sacchet <spam@ouba.org>:
Bug acknowledged by developer. (Fri, 28 Nov 2008 11:45:14 GMT) Full text and rfc822 format available.

Message #10 received at 506402-done@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: 495721-done@bugs.debian.org
Cc: 506402-done@bugs.debian.org, debian-legal@lists.debian.org
Subject: AGPL and Debian
Date: Fri, 28 Nov 2008 12:42:09 +0100
[Message part 1 (text/plain, inline)]
Hi,

recently we, your mostly friendly Ftpmaster and -team, have been asked
about an opinion about the AGPL in Debian.

The short summary is: We think that works licensed under the AGPL can
go into main. (Provided they don't have any other problems).

Reason:
The concerns people have expressed with regard to this license relate to
the only ยง in it which is different to the GPL:

|| 13. Remote Network Interaction; Use with the GNU General Public License.

Citing the three main concerns from Bug #495721:

> 1) It can might add a cost to the usage of the software that restricts
>    its usage.
[this is also raised in #506042]

We do not think that this is a severe enough problem to restrict the
freeness of a work licensed using the AGPL.
 - Offering a publically accessible network service already comes with a
   cost that might be hard to calculate. Think about DDOS attacks for
   example.

 - For practical matters the distribution costs via the internet are
   close to zero for free software. While bandwidth does cost money, and
   having a (say) 20MB app downloaded a million times would create a
   large cost, the license text reads "from a network server at no
   charge". This means it is not required to be your own server, so you
   can use any of the free services, like Alioth, Savannah, SourceForge,
   Launchpad or Google Code. While those are only there for Free
   Software - that is the case for AGPL applications.

Considering those points, the requirement to make the source available
does not seem to be one which restricts the usage of the software in any
way related to us and the DFSG.

> 2) It might forbid private usage of software that uses any kind of
>    network.

We do not see that it would forbid the private usage of the software. If
you use the software privately, the users of that software are a pretty
limited group. And as soon as they can reach your system to use the
software that means they are able to either download the source from your
private server or get a link to a download location on a machine
accessible to them.

Why might it forbid the private usage of software? Section 13 only
requires to offer the source to the users of your service. As such you
only need to give it to the limited user set your private usage has.

Also, we tend to agree with the FSFs opinion that a client does not need
to provide you access to the source of the servers it interacts with, see
http://www.fsf.org/licensing/licenses/gpl-faq.html#AGPLv3ServerAsUser

> 3) It might contaminate unrelated software.

We aren't sure that this is much different to the "normal" GPL. It is a
copyleft license after all. So unless someone declares the GPL non-free
thanks to that, we disagree with applying it to the AGPL.


In conclusion we will continue to access AGPL works into main subject to
the rest of the checks that we also normally perform.

-- 
bye, Joerg
Could you please add me to the mirrors@debian.org alias. I'm not receiving
enough spam.
  -- Andrew Pollock
[Message part 2 (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Joerg Jaspert <joerg@debian.org> to control@bugs.debian.org. (Fri, 28 Nov 2008 12:00:02 GMT) Full text and rfc822 format available.

Did not alter fixed versions and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 13 Apr 2010 21:21:07 GMT) Full text and rfc822 format available.

Added tag(s) upstream and confirmed. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 11 Jan 2013 18:51:04 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 11 Jan 2013 22:39:10 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sun, 13 Jan 2013 16:21:13 GMT) Full text and rfc822 format available.

Notification sent to Denis Sacchet <spam@ouba.org>:
Bug acknowledged by developer. (Sun, 13 Jan 2013 16:21:13 GMT) Full text and rfc822 format available.

Message #23 received at 506402-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 506402-close@bugs.debian.org
Subject: Bug#506402: fixed in ircd-hybrid 1:8.0.4.dfsg.1-1
Date: Sun, 13 Jan 2013 16:17:39 +0000
Source: ircd-hybrid
Source-Version: 1:8.0.4.dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
ircd-hybrid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506402@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated ircd-hybrid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 13 Jan 2013 16:01:22 +0000
Source: ircd-hybrid
Binary: ircd-hybrid hybrid-dev
Architecture: source all i386
Version: 1:8.0.4.dfsg.1-1
Distribution: experimental
Urgency: low
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 hybrid-dev - development files for ircd-hybrid
 ircd-hybrid - high-performance secure IRC server
Closes: 413600 425202 506402 664661
Changes: 
 ircd-hybrid (1:8.0.4.dfsg.1-1) experimental; urgency=low
 .
   * Switch to dpkg-source 3.0 (quilt) format
   * Update patchlevel automatically (was out of date)
   * Switch to debhelper 8
   * Remove obsolete sections of debian/rules
   * Add missing ${misc:Depends} to hybrid-dev Depends
   * Add build-indep and build-arch targets
   * Update Standards-Version to 3.9.4
   * Switch to git-dpm for patch management
   * Add debian/README.source describing patch management and dfsg
     tarball creation
   * New upstream release (Closes: #413600)
     - drop all patches other than patchlevel_debian. Note
       that #283738, which was previously fixed by warn_no_ssl_files,
       still exists, but is expected to be fixed by an upstream change
       soon.
     - m_services.c no longer hard-codes services name (Closes: #425202)
     - can_flood is now correctly enforced (Closes: #506402)
     - MAXCLIENTS is now a runtime configuration, so remove support for
       setting it in debian/rules
     - Install headers into /usr/include/ircd-hybrid-8
   * Update debian/copyright to format 1.0; licence is GPL-2+
   * Don't build contrib modules as they contain known buggy code
     and are not supported upstream
   * Refresh default ircd.conf files from upstream examples
     (Closes: #664661)
   * Set a default sid in ircd.conf, and add NEWS item about the need to
     set a unique sid in a network
   * Fix Lintian warning about deprecated use of chown in SSL postinst
Checksums-Sha1: 
 0794941ee105daa3b76839cdc3c19d2e4e7aede9 1382 ircd-hybrid_8.0.4.dfsg.1-1.dsc
 1debb4231a6d0f4fdba4cbee8f2c80dbc119774c 1105827 ircd-hybrid_8.0.4.dfsg.1.orig.tar.gz
 66086d9acca5542b17f69637de489c72aa6b6e11 59050 ircd-hybrid_8.0.4.dfsg.1-1.debian.tar.gz
 9a841d001a7ae1a352dc79471d9438e33c975a7f 107126 hybrid-dev_8.0.4.dfsg.1-1_all.deb
 2cabb30bfef40c965173cee243bbc91dc0f238aa 547030 ircd-hybrid_8.0.4.dfsg.1-1_i386.deb
Checksums-Sha256: 
 7e1df399c6b674a89755400a739f5b079e2c66bb06737f4eb7aadd588c062255 1382 ircd-hybrid_8.0.4.dfsg.1-1.dsc
 04ec727bf758a9795397a01cbd457a3166b77e3cfc1b77e60d1c26bf4479cf67 1105827 ircd-hybrid_8.0.4.dfsg.1.orig.tar.gz
 70ea9f0420d5ae86b71f23d81bc1acfd7157d1e69cb45cd5261ad5156675f765 59050 ircd-hybrid_8.0.4.dfsg.1-1.debian.tar.gz
 66810808a04ad497dc188f198d7be51cb9f482246ef14fc38ac98716df8729f7 107126 hybrid-dev_8.0.4.dfsg.1-1_all.deb
 0550a2addd5401eb65bc38442b429cb65a52b016f55bab2d611672b40e36b573 547030 ircd-hybrid_8.0.4.dfsg.1-1_i386.deb
Files: 
 14f08b333949e3fdcc94350d33580543 1382 net optional ircd-hybrid_8.0.4.dfsg.1-1.dsc
 65619a8aa91516f4fff82704350bc928 1105827 net optional ircd-hybrid_8.0.4.dfsg.1.orig.tar.gz
 b81984db13f0d833c56b66773dcd6ea4 59050 net optional ircd-hybrid_8.0.4.dfsg.1-1.debian.tar.gz
 dffcfd6e61f6159e06673683b6fd4a0a 107126 devel optional hybrid-dev_8.0.4.dfsg.1-1_all.deb
 d0cdc6c891dcf4006ea70810c463c93e 547030 net optional ircd-hybrid_8.0.4.dfsg.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFQ8truYzuFKFF44qURAlUGAJ49QWz+sRALzXr7k69UJcWAotshyQCeJcSO
AKZ23+rsQJHt5zh3+OMsx1s=
=51KG
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Feb 2013 07:25:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 10:57:08 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.