| === FJKong_afk is now known as FJKong | ||
| dholbach | good morning | 07:04 |
|---|---|---|
| === ara is now known as Guest14068 | ||
| === utlemming is now known as utlemming_away | ||
| === utlemming_away is now known as utlemming | ||
| === utlemming is now known as utlemming_away | ||
| === utlemming_away is now known as utlemming | ||
| Laney | BY THE POWER OF GREYSKULL | 13:41 |
| Laney | RISE UP, MASTERS | 13:41 |
| highvoltage | wom 13 | 13:41 |
| teward | MOTUs: Good morning/day/evening/night/<insert time reference word here>. I think a package has stopped being maintained in Debian, and as a result we have 'old' and 'broken' software (electrum bitcoin wallet) in the repositories. Is it possible to request a blacklist until Debian updates it for that package to be included? | 13:42 |
| Laney | you almost got away, highvoltage | 13:42 |
| teward | and if so what's needed for all that | 13:42 |
| highvoltage | Laney: lol | 13:42 |
| Laney | teward: broken how? | 13:43 |
| Laney | should it be removed from Debian testing too? | 13:43 |
| teward | Laney: i think https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231 is a good start point | 13:43 |
| ubottu | Debian bug 792231 in electrum "Electrum version 1.9.8 vulnerable, needs update" [Normal,Open] | 13:43 |
| teward | Laney: it should be UPDATED by the Debian Bitcoin Team | 13:43 |
| teward | or torpedoed from their repositories entirely | 13:43 |
| teward | the version there, 1.9.8, is a year old | 13:43 |
| teward | and current is 2.4.x | 13:43 |
| Laney | teward: probably start by making that 'serious', I guess | 13:44 |
| Laney | amd we could update it in Ubuntu without waiting for Debian | 13:44 |
| Laney | I guess the stable releases want to be updated too | 13:44 |
| Laney | which will be fun but maybe the SRU team will let it be updated to the new version assuming that it is compatible | 13:45 |
| teward | Laney: i'm not a packaging expert for it, though. I'd be happy to *try*, but there may be a PPA we could 'borrow' and have the sec team look at | 13:46 |
| teward | i'll reach out to electrum upstream to see if they know of prebuild packages for it, i think they have some... | 13:46 |
| Laney | Assuming they based it off the same packaging | 13:49 |
| teward | good point | 13:49 |
| Laney | otherwise... might be a good opportunity to learn | 13:49 |
| * teward shrugs | 13:49 | |
| teward | I am hesitant with anything Bitcoin to use any packaging, and to build from source to make *sure* that the packaging doesn't have hidden surprises | 13:50 |
| teward | Laney: well, I got a response back. http://paste.ubuntu.com/11993520/plain/ | 14:44 |
| teward | sounds like missing deps are being a big issue | 14:44 |
| teward | if anything, I think I'd like the sec team to review and determine if it should be yanked | 14:45 |
| Laney | teward: doh | 14:58 |
| teward | Laney: i just responded asking "GIven that this is already vulnerable and it has OTHER vulnerabilities, does it even make sense to keep it in the repos" | 14:59 |
| teward | from my perspective, on security considerations alone, the answer is "No, this is not worth keeping" | 15:00 |
| teward | but I have no say | 15:00 |
| teward | not really | 15:00 |
| Laney | best to go raise it with security guys | 15:00 |
| Laney | sure you do | 15:00 |
| teward | so, hop into -hardened and ask for their opinions, link the Debian bug>? | 15:00 |
| teward | and let them say "Burn it" :P | 15:00 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!