Debian Bug report logs - #630422
RFP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Francis Russell <francis+dbts@unchartedbackwaters.co.uk>

Date: Mon, 13 Jun 2011 22:48:02 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, francis+dbts@unchartedbackwaters.co.uk, debian-devel@lists.debian.org, mako@atdoc.cc, wnpp@debian.org:
Bug#630422; Package wnpp. (Mon, 13 Jun 2011 22:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Francis Russell <francis+dbts@unchartedbackwaters.co.uk>:
New Bug report received and forwarded. Copy sent to francis+dbts@unchartedbackwaters.co.uk, debian-devel@lists.debian.org, mako@atdoc.cc, wnpp@debian.org. (Mon, 13 Jun 2011 22:48:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Francis Russell <francis+dbts@unchartedbackwaters.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases
Date: Mon, 13 Jun 2011 23:44:31 +0100
Package: wnpp
Severity: wishlist
Owner: Francis Russell <francis+dbts@unchartedbackwaters.co.uk>


* Package name    : pwsafe
  Version         : 0.2.0
  Upstream Author : Nicolas S. Dade <ndade@nsd.dyndns.org>
* URL             : http://nsd.dyndns.org/pwsafe/
* License         : GPL
  Programming Lang: C++
  Description     : command-line application for managing encrypted passwords

pwsafe is a *nix command-line program that manages encrypted password
databases.

 Features:
- Pure command-line operation if desired (good for remote access over ssh)
  or can interact with X11 selection & clipboard.
- Portable, endianess-clean, misaligned-access-free C++.
- Compatible with CounterPane's PasswordSafe Win32 program versions 2.x
  and 1.x.

pwsafe was in Debian until recently, but removed since it was orphaned.
I contacted the current maintainer who was willing to sponsor uploads by
a user willing to take of maintenance work.

Please see the following bug reports:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601300
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630178




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Francis Russell <francis+dbts@unchartedbackwaters.co.uk>:
Bug#630422; Package wnpp. (Mon, 27 May 2013 13:38:38 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Francis Russell <francis+dbts@unchartedbackwaters.co.uk>. (Mon, 27 May 2013 13:38:38 GMT) Full text and rfc822 format available.

Message #10 received at 630422@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 630422@bugs.debian.org
Cc: control@bugs.debian.org
Subject: pwsafe: changing back from ITP to RFP
Date: Mon, 27 May 2013 15:24:26 +0200
retitle 630422 RFP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases
noowner 630422
tag 630422 - pending
thanks

Hi,

This is an automatic email to change the status of pwsafe back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 12 months.

If you are still interested in adopting pwsafe, please send a mail to
<control@bugs.debian.org> with:

 retitle 630422 ITP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases
 owner 630422 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <630422@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>



Changed Bug title to 'RFP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases' from 'ITP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 13:54:38 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Francis Russell <francis+dbts@unchartedbackwaters.co.uk>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 13:54:39 GMT) Full text and rfc822 format available.

Changed Bug title to 'RFP: pwsafe -- pwsafe is a *nix command-line program' from 'RFP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases' Request was from kk <kingkongmok@gmail.com> to control@bugs.debian.org. (Mon, 17 Jun 2013 02:48:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'ITP: pwsafe -- pwsafe is a *nix command-line program' from 'RFP: pwsafe -- pwsafe is a *nix command-line program' Request was from William Blough <devel@blough.us> to control@bugs.debian.org. (Tue, 04 Feb 2014 07:12:04 GMT) Full text and rfc822 format available.

Owner recorded as Bill Blough <devel@blough.us>. Request was from Bill Blough <devel@blough.us> to control@bugs.debian.org. (Tue, 04 Feb 2014 07:24:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'RFP: pwsafe -- pwsafe is a *nix command-line program that manages encrypted password databases' from 'ITP: pwsafe -- pwsafe is a *nix command-line program' Request was from Bill Blough <devel@blough.us> to control@bugs.debian.org. (Wed, 05 Feb 2014 21:40:11 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Bill Blough <devel@blough.us>. Request was from Bill Blough <devel@blough.us> to control@bugs.debian.org. (Wed, 05 Feb 2014 21:40:12 GMT) Full text and rfc822 format available.

Information stored :
Bug#630422; Package wnpp. (Wed, 05 Feb 2014 22:27:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Blough <devel@blough.us>:
Extra info received and filed, but not forwarded. (Wed, 05 Feb 2014 22:27:10 GMT) Full text and rfc822 format available.

Message #29 received at 630422-quiet@bugs.debian.org (full text, mbox):

From: Bill Blough <devel@blough.us>
To: 630422-quiet@bugs.debian.org
Subject: [Re: ITA/ITP of pwsafe]
Date: Wed, 5 Feb 2014 17:00:17 -0500
I have decided not to package pwsafe.

However, I would like to add the information that I have, in case
someone else wants to package it:

Upstream is essentially dead.  The original author hasn't responded to 
email, and the project on sourceforge hasn't been updated in years.
However, the code there is slightly newer than what was packaged for
squeeze, and there are some user submitted patches that may or may not
be useful.

There are two major issues stopping pwsafe from being repackaged.  The
first is the broken OpenSSL issue:


----- Forwarded message from "Benj. Mako Hill" <mako@atdot.cc> -----

Definitely. I'm happy to sponsor.

I think there needs to be a plan for migrating or fixing any password
files created with pwsafe using the version that was shipped with a
broken OpenSSL. As in, we should be able to detect the bad keys and
blacklist them -- much like openssh did. I think if that's handled -- or
if you can convince me that it's not a problem, I'll have no problem
sponsoring it again.

I just didn't have time to fix that correctly when back when and I
didn't use it anymore. Since this is software that secures people
passwords, I felt it should be well-maintained and should take security
bugs very seriously. If you can address that issue and other important
bugs, I'm happy to sponsor it.

Later,
Mako

----- End forwarded message -----


The second is licensing.  pwsafe is GPL and uses OpenSSL, but does not
have a licensing exception.  And since upstream is unresponsive, I feel
there's little chance of getting one.  So the only alternative is to
rip out all of the OpenSSL-based crypto code, and replace it with code
that uses a different (GPL-compatible) crypto library.


Both of those issues are fixable, if someone wants to put in the time
and effort.


On the bright side, I have just a fair amount of time trying to bring
the squeeze verison of the package up to date.  I have updated it to 
support debhelper compat v9 and standards version 3.9.5, switched it to 
use dpkg-source format 3.0 (quilt), switched d/rules to use dpkg-buildflags,
and made the package lintian clean (except for the OpenSSL exception error).

So if someone wants to continue the work, you can start where I left off and
have a *little* less to do.  https://bitbucket.org/bblough/pwsafe

I also started attempting to switch it from OpenSSL to gcrypt (locally),
but it doesn't look like it's possible to get gcrypt to do a zero-initialized
SHA1 without a nasty (and very likely unstable and non-portable) hack.
So unless that changes, a library other than gcrypt will need to be used.


Also, here are some relevant links that I found while researching the 
state of the package and what needs to be done:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601300

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630178

https://www.debian.org/security/key-rollover/

https://wiki.debian.org/SSLkeys?#pwsafe


Good luck to anyone who takes this up.

Bill









Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:03:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.