nominate for removal: ethereal

[Phil Knirsch]

seth vidal wrote:
> So, would it be completely inappropriate to nominate ethereal for
> removal from fc3 due to its spotty history of security problems?
> 
> It seems like an excellent place to start thinking of packages that
> should be maintained, in fedora extras, by the people interested in
> using them, not by the central developers at red hat. 
> 
> Thoughts?
> 

Well, maybe i as the package maintainer of ethereal here at Red Hat for 
now a little over 3 years can give my $0.02 to this topic.

Your request is certainly not inappropriate at all, i've often wondered 
why we (and especially i) still maintain this package and we keep 
shipping it in every released product.

The thing is: It is a very very useful tool, even more so imho than 
tcpdump. And especially for network debugging it is invaluable.

Now, if you look at our product line, it mainly targets the enterprise 
customer, especially the server side there. Now, what kind of 
applications except the standard server software does especially an 
administrator need and use? Exactly, tools for setting up the system, 
monitoring it and debugging it. And ethereal is exactly in that space. 
If i would be a sysadmin i would put ethereal in my top 10 list of apps 
that need to be in a product that i would consider buying (or recommend 
my company to buy).

On the other hand, as you yourself already mentioned and that i had the 
pleasure of being directly affected by it is the extreme security record 
of ethereal. Recently i began to joke about doing an automatic monthly 
ethereal errata, just in case. :-)

But seriously, this is really the downside of this tool: As it reads 
every crappy byte from the network and parses it in tons of ways to 
figure out what kind of package just went past it it is prone to such 
problems. After every errata i always have the hope that we slowly get 
to a point where there will be less and less security erratas for 
ethereal, but my gut tells me there is no end in sight yet. Maybe 
someone with a real strong background for doing security audit code 
reviews should take some time and wade through the whole ethereal code 
once and be done with it for a while (until new plugins come in with new 
security problems).

So to boil it down, i am between a rock and a hard place here:

On the one hand, i see the real need and use and benefit of having 
ethereal in our products.

On the other hand, it produces and awful lot of work over time. At the 
moment if an ethereal security problem is found i need to do 4 erratas 
(AS2.1, RHEL3, FC1 and FC2). In the future this number will mainly only 
increase, especially as our enterprise products have such a long lifetime.

And the point is, for a package that needs to be in our enterprise 
products, it is in the long run necessary that there is an internal Red 
Hat package maintainer for it.

I was, am and will be maintaining ethereal and hope we can keep it in 
the enterprise product. Should we ever decide to remove it from our main 
products i'll gladly step down as package maintainer and hand it over to 
someone in the community to take good care of the package. But until 
then i don't think it's a good idea.

Those are my long $0.02 on the topic. ;-)

Read ya, Phil

-- 
Philipp Knirsch      | Tel.:  +49-711-96437-470
Development          | Fax.:  +49-711-96437-111
Red Hat GmbH         | Email: Phil Knirsch <phil at redhat.de>
Hauptstaetterstr. 58 | Web:   http://www.redhat.de/
D-70178 Stuttgart
Motd:  You're only jealous cos the little penguins are talking to me.