=== FJKong_afk is now known as FJKong
[07:04] <dholbach> good morning
=== ara is now known as Guest14068
=== utlemming is now known as utlemming_away
=== utlemming_away is now known as utlemming
=== utlemming is now known as utlemming_away
=== utlemming_away is now known as utlemming
[13:41] <Laney> BY THE POWER OF GREYSKULL
[13:41] <Laney> RISE UP, MASTERS
[13:41] <highvoltage> wom 13
[13:42] <teward> MOTUs:  Good morning/day/evening/night/<insert time reference word here>.  I think a package has stopped being maintained in Debian, and as a result we have 'old' and 'broken' software (electrum bitcoin wallet) in the repositories.  Is it possible to request a blacklist until Debian updates it for that package to be included?
[13:42] <Laney> you almost got away, highvoltage
[13:42] <teward> and if so what's needed for all that
[13:42] <highvoltage> Laney: lol
[13:43] <Laney> teward: broken how?
[13:43] <Laney> should it be removed from Debian testing too?
[13:43] <teward> Laney: i think https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792231 is a good start point
[13:43] <ubottu> Debian bug 792231 in electrum "Electrum version 1.9.8 vulnerable, needs update" [Normal,Open]
[13:43] <teward> Laney: it should be UPDATED by the Debian Bitcoin Team
[13:43] <teward> or torpedoed from their repositories entirely
[13:43] <teward> the version there, 1.9.8, is a year old
[13:43] <teward> and current is 2.4.x
[13:44] <Laney> teward: probably start by making that 'serious', I guess
[13:44] <Laney> amd we could update it in Ubuntu without waiting for Debian
[13:44] <Laney> I guess the stable releases want to be updated too
[13:45] <Laney> which will be fun but maybe the SRU team will let it be updated to the new version assuming that it is compatible
[13:46] <teward> Laney: i'm not a packaging expert for it, though.  I'd be happy to *try*, but there may be a PPA we could 'borrow' and have the sec team look at
[13:46] <teward> i'll reach out to electrum upstream to see if they know of prebuild packages for it, i think they have some...
[13:49] <Laney> Assuming they based it off the same packaging
[13:49] <teward> good point
[13:49] <Laney> otherwise... might be a good opportunity to learn
[13:49]  * teward shrugs
[13:50] <teward> I am hesitant with anything Bitcoin to use any packaging, and to build from source to make *sure* that the packaging doesn't have hidden surprises
[14:44] <teward> Laney: well, I got a response back.  http://paste.ubuntu.com/11993520/plain/
[14:44] <teward> sounds like missing deps are being a big issue
[14:45] <teward> if anything, I think I'd like the sec team to review and determine if it should be yanked
[14:58] <Laney> teward: doh
[14:59] <teward> Laney: i just responded asking "GIven that this is already vulnerable and it has OTHER vulnerabilities, does it even make sense to keep it in the repos"
[15:00] <teward> from my perspective, on security considerations alone, the answer is "No, this is not worth keeping"
[15:00] <teward> but I have no say
[15:00] <teward> not really
[15:00] <Laney> best to go raise it with security guys
[15:00] <Laney> sure you do
[15:00] <teward> so, hop into -hardened and ask for their opinions, link the Debian bug>?
[15:00] <teward> and let them say "Burn it" :P