Re: [Sks-devel] SKS debian package

[Jeffrey Johnson]

On Apr 29, 2012, at 6:07 PM, Robert J. Hansen wrote:

> On 04/29/2012 05:42 PM, Jeffrey Johnson wrote:
>> If there were any BDB "security releases", you might have a point.
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1436
> 
> Yes, that's actually a bug in the libc db interface, not BDB itself, but
> the point still stands: this is something that would be embedded into
> sks with static linkage, and something that could be trivially fixed
> out-of-band with dynamic linkage.
> 

You are very very confused: db-1.85 went end-of-life
in like 1994 and has nothing whatsoever to do with
db-5.3.15 (which _STILL_ provides backward compatibility
for Luddite FL/OSS software development to db-1.85 nearly
18 years later).

> No nontrivial piece of software -- I repeat, *no* nontrivial piece of
> software -- has *ever* been released without security bugs, and it is
> both unprofessional and reckless to state otherwise.  If you don't
> understand this, then I think we're done here because we're not going to
> agree on anything.


I have made no claim that a CVE isn't possible for Berkeley DB. 

Go ahead, make my day:
        Show me the CVE that makes me a liar.

I do claim that there haven't been any (and you are on crack if you think
that db-1.85 incorporated into FreeBSD or glibc has anything whatsoever
to do with modern Berkeley DB).

If you don't believe me:
        Go ahead and do the port of SKS to db-1.85. Surely someone
        wishes that somewhere even if -- I am an optimist -- not in Debian.

73 de Jeff