On Tue, 4 Nov 2008 03:40:22 pm Michael Gilbert wrote:
> Dear release team,
>
> Thank you for making a decision on the direction for bug #449497 in
> foo2zjs [1]. I believe that this is a reasonable choice for now due
> to the impending release. However, I would really like to see an
> honest and consructive conversation on the issue. I believe that
> there are some major security and functionality problems with fetching
> scripts, and there should be clear direction from the members of the
> debian project on the matter. I would like to be able to completely
> trust main, so it is my hope that developers would do everything in
> their power to keep main as clean and safe as possible. I am just a
> user, so I feel powerless to do anything, and my experience dealing
> with this issue through the foo2zjs maintainers was not exactly
> constructive [2],[3],[4] (primarily because of over-reactiveness and
> hyper sensitivity on their part and perhaps a lack of appreciation for
> debian's bug command and control authority [5] on my part -- and of
> course some good old misunderstanding and misinterpretation). Where
> do I go from here to make sure the issue gets the appropriate level of
> thought and consideration that it deserves (after lenny gets released
> of course)?
>
> Best wishes,
> Michael Gilbert
>
> [1] http://lists.debian.org/debian-relea.../msg00106.html
> [2] http://bugs.debian.org/449497
> [3] http://bugs.debian.org/503813
> [4] http://bugs.debian.org/503814
> [5] http://lists.debian.org/debian-ctte/.../msg00006.html

Please let me just say two things. First we are not over-sensitive or
anything, but we took your ideas into consideration and even asked for
advice. I think we were pretty sensible in that manner, so please stop
stating otherwise.
Furthermore, the script is not automatically called and users know what they
are doing (or at least they should), when they call it. Maybe we could even
add an additional warning, which I would definitely be open to.
Now to your "security concerns". Since this script explicitely downloads stuff
from an author's webpage (and it is stated like that), the user knows the
risk. Are you proposing to call this a security issue? Then packages like
iceweasel are also affected and many others ...
We can talk about putting the script somwhere else or do $whatever with it
after the release, but not for lenny. So please stop the noise and get back
to us about it after the release. I promise that I'll do my best to find a
solution that suits everyone. But right now you create more work for other
people, including me, which I could spend on security related work.
Thanks in advance.

Cheers
Steffen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkkP9YsACgkQ62zWxYk/rQfYKwCgohDhKz8iaCMg0aEKucqLWJbv
z3YAn0z5rkJvz275VKm+Tw6V/PvERrrV
=dumF
-----END PGP SIGNATURE-----