Bug 29733 - tmate should probably be dropped due to inadequate upstream maintenance
Summary: tmate should probably be dropped due to inadequate upstream maintenance
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: release_blocker normal
Target Milestone: Mageia 9
Assignee: Thierry Vignaud
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 30163
  Show dependency treegraph
 
Reported: 2021-12-06 18:27 CET by David Walser
Modified: 2023-06-19 01:10 CEST (History)
3 users (show)

See Also:
Source RPM: tmate-2.4.0-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-12-06 18:27:01 CET
This report details some issues in tmate-ssh-server, which I don't believe we have packaged:
https://www.openwall.com/lists/oss-security/2021/12/06/2

Apparently it and tmate itself were born as forks of tmux, and the above report contains this concerning statement:
"Both forks originate from
the year 2016 and no sync seems to have happened since then. The upstream
author states that he doesn't backport fixes any more due to lack of time."

As such, I'm not sure if tmate is vulnerable to CVE-2018-19387 (Bug 24054) or CVE-2020-27347 (Bug 27569) but if it isn't syncing fixes from tmux, it could leave it vulnerable to other issues in the future.  Nothing requires this package so we can drop it.
David Walser 2021-12-06 18:27:12 CET

Priority: Normal => release_blocker
Target Milestone: --- => Mageia 9

Comment 1 Thierry Vignaud 2021-12-29 18:30:30 CET
Humm it's very useful.
It's still maintained in other distros.
I think we can just follow other distros on that front.
Comment 2 David Walser 2021-12-29 18:32:46 CET
Just because it's packaged in distros doesn't mean anything if the software itself isn't being maintained.
David Walser 2022-10-25 14:53:07 CEST

Blocks: (none) => 30163

Comment 3 Morgan Leijström 2023-06-11 01:33:28 CEST
Do this need to be a release blocker?

CC: (none) => fri

Comment 4 David Walser 2023-06-11 03:26:26 CEST
Yes, packages can't be dropped after release.
Comment 5 Dave Hodgins 2023-06-11 20:14:52 CEST
For packages like this where it is not on the iso image, it's a blocker
for the final, not a blocker for the rc.

CC: (none) => davidwhodgins

Comment 6 Nicolas Lécureuil 2023-06-19 01:10:19 CEST
Fixed closing

CC: (none) => mageia
Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.