Hi, * W. Borgert <debacle@debian.org> [2005-07-31 23:24]: > On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote: > > (1) keep vulnerable packages in stable, > > (2) remove affected packages from distribution, > > (3) allow new upstream into stable. > ... > > What do you think on this? > > I'ld "vote" for (2), maybe with the goal of creating pressure > towards upstream to take security more serious. Don't forget: > The new versions will bring trouble to our poor users, as it's > not API nor ABI compatible, has different bugs, etc. Can't > Debian + Ubuntu + ... create enough demand for useful security > patches? Remember the KDE/Qt licensing discussion... > > (3) is second best. At least typical server installations are > not affected (we use w3m, don't we?) and desktop users are used > to frustration anyway. (1) is not an option. I think for 1 there is no way! 3 would be the best if this is possible and will not break the whole system. 2 would make sense if there is not a big community using the package or if this package has got no critical reverse dependencies. I think it would be good if the maintainer would try 3 and then a discussion on -devel should follow. If this doesn't work the package has to be removed. Regards NIco -- Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF http://www.ngolde.de | http://www.muttng.org | http://grml.org VIM has two modes - the one in which it beeps and the one in which it doesn't -- encrypted mail preferred
Attachment:
pgppoXMlIyz67.pgp
Description: PGP signature