[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: allow new upstream into stable when it's the only way to fix security issues.



Hi,
* W. Borgert <debacle@debian.org> [2005-07-31 23:24]:
> On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> > (1) keep vulnerable packages in stable,
> > (2) remove affected packages from distribution,
> > (3) allow new upstream into stable.
> ...
> > What do you think on this?
> 
> I'ld "vote" for (2), maybe with the goal of creating pressure
> towards upstream to take security more serious.  Don't forget:
> The new versions will bring trouble to our poor users, as it's
> not API nor ABI compatible, has different bugs, etc.  Can't
> Debian + Ubuntu + ... create enough demand for useful security
> patches?  Remember the KDE/Qt licensing discussion...
> 
> (3) is second best.  At least typical server installations are
> not affected (we use w3m, don't we?) and desktop users are used
> to frustration anyway.  (1) is not an option.

I think for 1 there is no way! 3 would be the best if this
is possible and will not break the whole system. 2 would
make sense if there is not a big community using the package
or if this package has got no critical reverse dependencies.
I think it would be good if the maintainer would try 3 and
then a discussion on -devel should follow. If this doesn't
work the package has to be removed.
Regards NIco
-- 
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org 
VIM has two modes - the one in which it beeps 
and the one in which it doesn't -- encrypted mail preferred

Attachment: pgppoXMlIyz67.pgp
Description: PGP signature


Reply to: