[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why do we still have this on the distribution?

On Thu, 07 Apr 2005, Andrew Pollock wrote:
> On Wed, Apr 06, 2005 at 10:18:23AM +0200, Thijs Kinkhorst wrote:
> > This raises a valid point; maybe the maintainer can comment on
> > this? Since we already receive no security updates to php3 from
> > upstream, is it feasible security-wise to keep it in the
> > distribution for some years to come?
> I think the opinion of the stable release manager and security team
> should rank higher than the maintainer also.

If the RM and or security team feel that a package is likely to be the
cause of too much grief for them to support security fixes for, they
should explain that fact to the maintainer(s) (if at all possible) and
let the maintainer(s) determine if they will take on the burden of
supporting the package in stable as well. If the maintainer doesn't
want that burden,[1] the maintainer should file a severity serious bug
against the package to keep it from being released in stable.

In the case of this particular package, the codebase isn't going to
rapidly diverge from stable, so any fix that needs to be made in sarge
or etch or $release will have to be made in sid as well. Ideally (heh)
the security team will just be able to apply the patch the
maintainer(s) apply in sid.

Whatever the case, if anyone feels that this (or *ANY*) package is a
security risk, audit it and file bugs against it. Claiming that there
may be security bugs that will possibly be swept under the rug at some
future date when sarge releases[2] just isn't going to do anything for

Don Armstrong

1: I'd argue that anyone who doesn't actually want to support (or at
least help support) their package with security fixes, etc. in stable
probably should already have such a bug filed in the BTS or should be
making sure that they've kept the security team well stocked with
alchohol or whatever tasty bribe the security team prefers. [Or make
users of the package aware of the fact that they'll need to bribe the
security team. ;-)]

2: Vigorously beating a sledgehammer into a tree

The major difference between a thing that might go wrong and a thing
that cannot possibly go wrong is that when a thing that cannot
possibly go wrong goes wrong it usually turns out to be impossible to
get at or repair.
 -- Douglas Adams  _Mostly Harmless_

http://www.donarmstrong.com              http://rzlab.ucr.edu

Attachment: signature.asc
Description: Digital signature

Reply to: