[gentoo-dev] Last rites for net-ftp/netkit-tftp

[gentoo-dev] Last rites for net-ftp/netkit-tftp

[Diego Elio Pettenò]

I just fixed a (reported) buffer overflow on it (not a security bug),
but the code is very bad and I'm expecting more issues in the future.

The ebuild wasn't bumped since 2008, the upstream FTP site is entirely
gone (there's no more the _domain_ of it), and net-ftp/tftp-hpa should
replace it in all ways.

So it'll be removed next month if there are no reasons to keep it around.

-- 
Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Chí-Thanh Christopher Nguyễn]

Diego Elio Pettenò schrieb:
> I just fixed a (reported) buffer overflow on it (not a security bug),
> but the code is very bad and I'm expecting more issues in the future.
> 
> The ebuild wasn't bumped since 2008, the upstream FTP site is entirely
> gone (there's no more the _domain_ of it), and net-ftp/tftp-hpa should
> replace it in all ways.
> 
> So it'll be removed next month if there are no reasons to keep it around.

Please report a removal bug for this, so any issues concerning users of
netkit-tftp can be tracked.


Best regards,
Chí-Thanh Christopher Nguyễn

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Diego Elio Pettenò]

Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> Please report a removal bug for this, so any issues concerning users of
> netkit-tftp can be tracked.

Here it is:
https://bugs.gentoo.org/show_bug.cgi?id=425362

And actually Robin K. who submitted the overflow bug I fixed, pointed
out that there _are_ cases where hpa doesn't work but netkit does, so
I've downgraded the removal to a simple masking for bad code.

I guess we'll wait a bit more before removing this, in the mean time
though I don't really feel happy with leaving it unmasked so it'll stay
as it is.

-- 
Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Pacho Ramos]

[-- Attachment #1: Type: text/plain, Size: 815 bytes --]

El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
> Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> > Please report a removal bug for this, so any issues concerning users of
> > netkit-tftp can be tracked.
> 
> Here it is:
> https://bugs.gentoo.org/show_bug.cgi?id=425362
> 
> And actually Robin K. who submitted the overflow bug I fixed, pointed
> out that there _are_ cases where hpa doesn't work but netkit does, so
> I've downgraded the removal to a simple masking for bad code.
> 
> I guess we'll wait a bit more before removing this, in the mean time
> though I don't really feel happy with leaving it unmasked so it'll stay
> as it is.
> 

If its upstream is completely dead, it has bad code and it has a
replacement, I would still go to treeclean it

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Jeroen Roovers]

On Sun, 08 Jul 2012 23:29:35 +0200
Pacho Ramos <pacho@gentoo.org> wrote:

> El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
> > Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> > > Please report a removal bug for this, so any issues concerning
> > > users of netkit-tftp can be tracked.
> > 
> > Here it is:
> > https://bugs.gentoo.org/show_bug.cgi?id=425362
> > 
> > And actually Robin K. who submitted the overflow bug I fixed,
> > pointed out that there _are_ cases where hpa doesn't work but
> > netkit does, so I've downgraded the removal to a simple masking for
> > bad code.
> > 
> > I guess we'll wait a bit more before removing this, in the mean time
> > though I don't really feel happy with leaving it unmasked so it'll
> > stay as it is.
> > 
> 
> If its upstream is completely dead, it has bad code and it has a
> replacement, I would still go to treeclean it

But if it provides the only means to netboot certain hardware, then you
might think twice.


      jer

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Anthony G. Basile]

On 07/08/2012 08:57 PM, Jeroen Roovers wrote:
> On Sun, 08 Jul 2012 23:29:35 +0200
> Pacho Ramos<pacho@gentoo.org>  wrote:
>
>> El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
>>> Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
>>>> Please report a removal bug for this, so any issues concerning
>>>> users of netkit-tftp can be tracked.
>>> Here it is:
>>> https://bugs.gentoo.org/show_bug.cgi?id=425362
>>>
>>> And actually Robin K. who submitted the overflow bug I fixed,
>>> pointed out that there _are_ cases where hpa doesn't work but
>>> netkit does, so I've downgraded the removal to a simple masking for
>>> bad code.
>>>
>>> I guess we'll wait a bit more before removing this, in the mean time
>>> though I don't really feel happy with leaving it unmasked so it'll
>>> stay as it is.
>>>
>> If its upstream is completely dead, it has bad code and it has a
>> replacement, I would still go to treeclean it
> But if it provides the only means to netboot certain hardware, then you
> might think twice.
>
>
>        jer
>
I have several ubiquity routerstations (the hardware in questions) and 
I've asked Robin Kauffman to report the steps to reproduce in the bug.  
I'll try to get to the bottom of why tftp-hpa doesn't work.

--Tony

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Pacho Ramos]

[-- Attachment #1: Type: text/plain, Size: 1505 bytes --]

El dom, 08-07-2012 a las 21:06 -0400, Anthony G. Basile escribió:
> On 07/08/2012 08:57 PM, Jeroen Roovers wrote:
> > On Sun, 08 Jul 2012 23:29:35 +0200
> > Pacho Ramos<pacho@gentoo.org>  wrote:
> >
> >> El dom, 08-07-2012 a las 21:49 +0200, Diego Elio Pettenò escribió:
> >>> Il 08/07/2012 20:13, Chí-Thanh Christopher Nguyễn ha scritto:
> >>>> Please report a removal bug for this, so any issues concerning
> >>>> users of netkit-tftp can be tracked.
> >>> Here it is:
> >>> https://bugs.gentoo.org/show_bug.cgi?id=425362
> >>>
> >>> And actually Robin K. who submitted the overflow bug I fixed,
> >>> pointed out that there _are_ cases where hpa doesn't work but
> >>> netkit does, so I've downgraded the removal to a simple masking for
> >>> bad code.
> >>>
> >>> I guess we'll wait a bit more before removing this, in the mean time
> >>> though I don't really feel happy with leaving it unmasked so it'll
> >>> stay as it is.
> >>>
> >> If its upstream is completely dead, it has bad code and it has a
> >> replacement, I would still go to treeclean it
> > But if it provides the only means to netboot certain hardware, then you
> > might think twice.
> >
> >
> >        jer
> >
> I have several ubiquity routerstations (the hardware in questions) and 
> I've asked Robin Kauffman to report the steps to reproduce in the bug.  
> I'll try to get to the bottom of why tftp-hpa doesn't work.
> 
> --Tony
> 

I thought it has a replacement, if not, ok to keep

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Last rites for net-ftp/netkit-tftp

[Diego Elio Pettenò]

On Mon, Jul 9, 2012 at 10:34 PM, Pacho Ramos <pacho@gentoo.org> wrote:
> I thought it has a replacement, if not, ok to keep

It has a replacement for probably 95% of its users; hopefully Robin
and Anthony can figure out why those 5% (random number of course) is
not able to use tftp-hpa; once we do that it should be safe to remove.
I'll keep it monitored till then. And masked of course, as we don't
want to risk issues, especially security issues, due to that.