Ubuntu
gstm package

gstm should drop gaskpass and Depend: ssh-askpass

Bug #276534 reported by Trochee on 2008-09-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gstm (Ubuntu)	Fix Released	Wishlist	Ryan Niebur

Bug Description

Binary package hint: gstm

There are several well-audited, well-supported implementations of ssh-askpass available in ubuntu (for example, ssh-askpass-gnome). Given the bugs in gstm's gaskpass utility (#276517 #276525 #276529 #276530) it seems like it would make sense to drop that utility and defer to the more widely-used ssh-askpass implementations.

I imagine this is a drop-in (er, drop-out?) replacement, and the maintainers could guarantee that ssh-askpass was present by adjusting the Depends: line in the package description to include ssh-askpass.

Related branches

lp:debian/squeeze/gstm

Revision history for this message

Trochee (trochee) wrote on 2008-10-01:

does not alter SSH_ASKPASS; Depends: ssh-askpass Edit (1.9 KiB, text/plain)

I've attached a patch that removes the calls to gaskpass and changes the Depends: accordingly.

Revision history for this message

Ryan Niebur (ryan52) wrote on 2008-11-22:

Since all of these bugs are extremely trivial to fix, I will just fix the bugs themselves and not replace gaskpass.

Thanks, though.
-- Ryan

Changed in gstm:
status:	New → Invalid

Nathan Handler (nhandler) on 2008-11-22

Changed in gstm:
importance:	Undecided → Wishlist
status:	Invalid → Won't Fix

Revision history for this message

Trochee (trochee) wrote on 2008-11-22:

I believe it is a mistake to maintain a separate security-sensitive application (asking for passwords) inside a tangentially-related package, when a perfectly good -- and well-maintained -- programs exist for the same purpose. ssh-askpass-gnome is even part of openssh, which is (I think) necessary for gSTM.

Choosing 'Won't Fix' -- including gAskPass makes this package unnecessarily bloated and is well beyond the scope of a graphical tool for organizing SSH connections.

Revision history for this message

dkg (dkg0) wrote on 2008-11-22:

I think i agree with trochee here. Those four bugs were filed within a few hours of each other, the result of a quick audit. If, as Ryan says, these are trivial to fix, it makes me wonder how many more serious, non-trivial problems would be uncovered by a more in-depth audit.

Since these trivial problems weren't discovered for years in the package upstream, i'm concerned that there is not an ongoing security review of the tool. This isn't a question of replacing gaskpass; it's just dropping it, so that gstm can focus on the specific functionality it offers. Why not just make gstm do one thing, and do it well?

What does gaskpass offer the free software ecosystem that's not already offered by the more mature askpass implementations?

Revision history for this message

Ryan Niebur (ryan52) wrote on 2008-11-23:

okay, the bugs were a bit unclear about the actual problem so I did not understand properly. I do now, and will remove gaskpass.

Thanks,
Ryan

Changed in gstm:
assignee:	nobody → ryan52
status:	Won't Fix → In Progress

Revision history for this message

Ryan Niebur (ryan52) wrote on 2008-11-23:

okay, fix uploaded to Debian.
I dunno when it will be merged into Ubuntu, but ya...:/

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-11-24:

This bug was fixed in the package gstm - 1.2-7

---------------
gstm (1.2-7) unstable; urgency=low

  * Remove gaskpass. gaskpass is just another ssh askpass program, and
    doesn't do anything special. It does not grab focus, which means
    that key loggers can listen in on what you type, aiui. Seeing as how
    it is just reinventing the wheel, I see no reason to keep it around.
    (Fixes LP: #276530, #276517, #276525, #276529, #276534)
  * Do not explicitly set the ssh timeout, as that causes problems on
    slow networks. (Fixes LP: #293240)

-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 24 Nov 2008 09:48:55 +0000