[arch-general] unrealircd 3.2.8.1-2 contains backdoor

[Alexander Duscheleit]

On Sun, 13 Jun 2010 02:10:56 +0200
Thomas Bächler <thomas at archlinux.org> wrote:

> Am 13.06.2010 02:06, schrieb Alexander Duscheleit:
> > On Sun, 13 Jun 2010 01:19:02 +0200
> > Thomas Bächler <thomas at archlinux.org> wrote:
> > 
> >> Am 13.06.2010 00:57, schrieb Alexander Duscheleit:
> >>>
> >>> I've already filed a bug as FS#19780 to the community project, but
> >>> given the severity I thought it would be wise to alert a wider
> >>> audience.
> >>
> >> Maybe you should post to the right list then.
> >>
> > Isn't that what I did? From the Arch Linux related lists, this one
> > seemed the most appropriate I have post access to. Aur-general
> > doesn't apply, dev-public is read-only, all others don't fit the
> > topic and there is no -security. So which Arch list would have been
> > better?
> 
> aur-general is where all issues concerning community packages can be
> discussed with the TUs, and it is the only list where every single TU
> is subscribed.

OK, I really didn't know that. I thought that since the repo moved to
the "proper" arch servers, the relation between community and AUR
wouldn't apply anymore the way it did before. I'll remeber that for the
future. (I saw the crosspost right after I sent my 1st reply.)

OTOH the original mail was meant more to alert *users* of unrealircd,
the maintainer should actually already have been noticed via the bug.

On a side-note, Sergej already has published a new pkgrel this afternoon
(2010-06-12 16:40:54 UTC). So the bug is/was already obsolete before I
wrote it. (I should remember to check the website before trusting
supposedly up to date mirrors I guess.) What do we actually need a
-security list for, when maintainers fix vulnerabilities before the are
filed? ;-)