[Pan-users] Re: Pan and Ubuntu updates: Heads up

From: Duncan
Subject: [Pan-users] Re: Pan and Ubuntu updates: Heads up
Date: Thu, 25 Dec 2008 00:19:51 +0000 (UTC)
Pan/0.133

Rick Barry <address@hidden>
posted address@hidden, excerpted below, on 
Wed, 24 Dec 2008 05:19:02 -0800:

> I recently ran my update manager in Ubuntu 8.04. I installed 20 odd
> "security" updates. Now PAN 0.132 will no longer import NZB files. Doing
> so simply shuts the program down.

So they patched the problem by patching out the ability to import 
*.nzbs... /only/ about five months after most reasonable distributions 
patched it using upstream's patch of the real problem, and four months 
plus since upstream released 0.133 including its patch.

Or maybe they didn't update pan at all (the OP didn't say pan was 
updated), but rather one of its libraries... with an incompatible 

What about pan's usual tasks.nzb file that it stores its own tasks list 
in?  Does that still work?  If it does, the buffer underflow and thus the 
security issue may still exist in it.  However, one could then work 
around the importing nzb problem by shutting pan down, renaming the nzb 
they wanted to import to replace pan's file, then reopening pan.  If it 
doesn't, what do they use to store pan tasks over a shutdown, or do they 
just forget them now?

Regardless, the experience with this, with their bug on the problem 
sitting open for months after many distributions have fixed the problem, 
their security address still CCed, I lost my formerly high respect for 
Ubuntu some months ago and would no longer recommend it to anyone.  (Of 
course I use Gentoo, personally, but while it's a great fit for me, it's 
not something I'd recommend for the average person.)

Duncan
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

