Debian Bug report logs - #624768
O: libnss-db -- NSS module for using Berkeley Databases as a naming service

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Ondřej Surý <ondrej@debian.org>

Date: Sun, 1 May 2011 13:33:02 UTC

Severity: normal

Merged with 636733

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, dexter@debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Sun, 01 May 2011 13:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
New Bug report received and forwarded. Copy sent to dexter@debian.org, Debian Release Team <debian-release@lists.debian.org>. (Sun, 01 May 2011 13:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: RM: libnss-db/2.2.3pre1-3.1
Date: Sun, 01 May 2011 15:28:01 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm

Hi,

I propose libnss-db removal from testing and stable, because it:

- has a serious security bug in stable and testing
- is unmaintained in upstream (removed from glibc, no upstream)
- is unmaintained in Debian (security bug open for year)

O.

-- System Information:
Debian Release: 6.0.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Sun, 01 May 2011 14:00:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 01 May 2011 14:00:08 GMT) Full text and rfc822 format available.

Message #10 received at 624768@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Ondřej Surý <ondrej@debian.org>, 624768@bugs.debian.org
Subject: Re: Bug#624768: RM: libnss-db/2.2.3pre1-3.1
Date: Sun, 1 May 2011 15:57:09 +0200
On Sun, May  1, 2011 at 15:28:01 +0200, Ondřej Surý wrote:

> I propose libnss-db removal from testing and stable, because it:
> 
> - has a serious security bug in stable and testing
> - is unmaintained in upstream (removed from glibc, no upstream)
> - is unmaintained in Debian (security bug open for year)
> 
Removal from stable isn't going to happen.  As to testing, what's the
alternative for nss-db users, such as, say, *.debian.org?

Cheers,
Julien




Added tag(s) moreinfo. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sun, 01 May 2011 15:39:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Mon, 02 May 2011 12:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 02 May 2011 12:33:02 GMT) Full text and rfc822 format available.

Message #17 received at 624768@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Julien Cristau <jcristau@debian.org>
Cc: 624768@bugs.debian.org
Subject: Re: Bug#624768: RM: libnss-db/2.2.3pre1-3.1
Date: Mon, 2 May 2011 14:30:13 +0200
2011/5/1 Julien Cristau <jcristau@debian.org>:
> On Sun, May  1, 2011 at 15:28:01 +0200, Ondřej Surý wrote:
>
>> I propose libnss-db removal from testing and stable, because it:
>>
>> - has a serious security bug in stable and testing
>> - is unmaintained in upstream (removed from glibc, no upstream)
>> - is unmaintained in Debian (security bug open for year)
>>
> Removal from stable isn't going to happen.

Ok, no problem.

> As to testing, what's the alternative for nss-db users, such as, say, *.debian.org?

One alternative would be to adopt the package both in debian and as a
upstream (or convince (e)glibc people to pick it up) and care about it
if it's important for Debian.

I don't know the Debian infrastructure enough to be able to answer the
question, but wouldn't libnss-ldap do the job - DD accounts are stored
in LDAP, aren't they?

O.
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Mon, 02 May 2011 17:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 02 May 2011 17:57:03 GMT) Full text and rfc822 format available.

Message #22 received at 624768@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Ondřej Surý <ondrej@debian.org>
Cc: 624768@bugs.debian.org
Subject: Re: Bug#624768: RM: libnss-db/2.2.3pre1-3.1
Date: Mon, 2 May 2011 19:54:06 +0200
On Mon, May  2, 2011 at 14:30:13 +0200, Ondřej Surý wrote:

> One alternative would be to adopt the package both in debian and as a
> upstream (or convince (e)glibc people to pick it up) and care about it
> if it's important for Debian.
> 
> I don't know the Debian infrastructure enough to be able to answer the
> question, but wouldn't libnss-ldap do the job - DD accounts are stored
> in LDAP, aren't they?
> 
AIUI libnss-ldap means if your connection to the ldap server goes down
temporarily for some reason you're locked out until it comes back.  That
seems bad for a setup like debian's which is heavily distributed.  So
currently the account data is synchronized with ud-replicate and cron,
and imported into bdb files for libnss-db use.

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Mon, 02 May 2011 18:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 02 May 2011 18:15:04 GMT) Full text and rfc822 format available.

Message #27 received at 624768@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Julien Cristau <jcristau@debian.org>, debian-admin@lists.debian.org
Cc: 624768@bugs.debian.org
Subject: Re: Bug#624768: RM: libnss-db/2.2.3pre1-3.1
Date: Mon, 2 May 2011 20:11:51 +0200
I am Ccing the DSA team, because this affect them most...

On Mon, May 2, 2011 at 19:54, Julien Cristau <jcristau@debian.org> wrote:
> On Mon, May  2, 2011 at 14:30:13 +0200, Ondřej Surý wrote:
>
>> One alternative would be to adopt the package both in debian and as a
>> upstream (or convince (e)glibc people to pick it up) and care about it
>> if it's important for Debian.
>>
>> I don't know the Debian infrastructure enough to be able to answer the
>> question, but wouldn't libnss-ldap do the job - DD accounts are stored
>> in LDAP, aren't they?
>>
> AIUI libnss-ldap means if your connection to the ldap server goes down
> temporarily for some reason you're locked out until it comes back.  That
> seems bad for a setup like debian's which is heavily distributed.  So
> currently the account data is synchronized with ud-replicate and cron,
> and imported into bdb files for libnss-db use.

Well, libnss-ldap(d) + NSCD could do the trick for short offline
periods (with HA LDAP setup).

http://wiki.debian.org/LDAP/NSS

Same for PAM+LDAP:

http://wiki.debian.org/LDAP/PAM

However I am not strongly pushing one way (the upstream-adoption) or
another (the ldap+nscd) - however I feel that depending on
unmaintained software with a year-old security bug isn't really a good
option.

O.
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Mon, 02 May 2011 21:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 02 May 2011 21:03:04 GMT) Full text and rfc822 format available.

Message #32 received at 624768@bugs.debian.org (full text, mbox):

From: Peter Palfrader <weasel@debian.org>
To: Ondrej Surý <ondrej@debian.org>
Cc: Julien Cristau <jcristau@debian.org>, debian-admin@lists.debian.org, 624768@bugs.debian.org
Subject: Re: Bug#624768: RM: libnss-db/2.2.3pre1-3.1
Date: Mon, 2 May 2011 22:58:56 +0200
On Mon, 02 May 2011, Ondrej Surý wrote:

> Well, libnss-ldap(d) + NSCD could do the trick for short offline
> periods (with HA LDAP setup).
> 
> http://wiki.debian.org/LDAP/NSS

I don't think libpam-ldap would meet our requirements.  And nscd is best
avoided.

-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#624768; Package release.debian.org. (Tue, 03 May 2011 15:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 03 May 2011 15:45:04 GMT) Full text and rfc822 format available.

Message #37 received at 624768@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Ondrej Surý <ondrej@debian.org>, Julien Cristau <jcristau@debian.org>, debian-admin@lists.debian.org, 624768@bugs.debian.org, dexter@debian.org, 604854-submitter@bugs.debian.org
Subject: Re: Bug#624768: RM: libnss-db/2.2.3pre1-3.1
Date: Tue, 3 May 2011 17:39:43 +0200
retitle 624768 RFH: libnss-db
reassign 624768 wnpp
thank you

On Mon, May 2, 2011 at 22:58, Peter Palfrader <weasel@debian.org> wrote:
> On Mon, 02 May 2011, Ondrej Surý wrote:
>
>> Well, libnss-ldap(d) + NSCD could do the trick for short offline
>> periods (with HA LDAP setup).
>>
>> http://wiki.debian.org/LDAP/NSS
>
> I don't think libpam-ldap would meet our requirements.  And nscd is best
> avoided.

Then somebody should step-up and give a libnss-db little love. It's
shame we couldn't push it to GSoC now :(. Unfortunately it's so far
away from DNS as it could be, so I am probably not be able to adopt it
in our labs and I have already too many tasks on my shoulder. So I
cannot really promise anything, but if I catch some spare cycles
somewhere and nothing happens here, I'll at least fix the security
issue and libdb transition in a NMU. However I still think that from a
long term this needs to be

Reassigning to wnpp as a RFH and Ccing 604854 (which is about building
libnss-db from eglibc).

O.
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/




Changed Bug title to 'RFH: libnss-db' from 'RM: libnss-db/2.2.3pre1-3.1' Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Tue, 03 May 2011 15:45:06 GMT) Full text and rfc822 format available.

Bug reassigned from package 'release.debian.org' to 'wnpp'. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Tue, 03 May 2011 15:45:06 GMT) Full text and rfc822 format available.

Changed Bug title to 'RFH: libnss-db -- NSS module for using Berkeley Databases as a naming service' from 'RFH: libnss-db' Request was from Dario Minnucci <midget@debian.org> to control@bugs.debian.org. (Fri, 08 Jul 2011 11:33:05 GMT) Full text and rfc822 format available.

Merged 624768 636733 Request was from Bart Martens <bartm@debian.org> to control@bugs.debian.org. (Sun, 28 Oct 2012 09:27:08 GMT) Full text and rfc822 format available.

Changed Bug title to 'O: libnss-db -- NSS module for using Berkeley Databases as a naming service' from 'RFH: libnss-db -- NSS module for using Berkeley Databases as a naming service' Request was from Bart Martens <bartm@debian.org> to control@bugs.debian.org. (Sun, 28 Oct 2012 09:27:08 GMT) Full text and rfc822 format available.

Changed Bug submitter to 'Ondřej Surý <ondrej@debian.org>' from 'Ondřej Surý <ondrej@debian.org>' Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Thu, 21 Mar 2013 21:28:24 GMT) Full text and rfc822 format available.

Removed tag(s) moreinfo. Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. (Sun, 15 Dec 2013 16:45:09 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 08:16:31 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.