On Thu, 07 Apr 2005, Andrew Pollock wrote: > On Wed, Apr 06, 2005 at 10:18:23AM +0200, Thijs Kinkhorst wrote: > > This raises a valid point; maybe the maintainer can comment on > > this? Since we already receive no security updates to php3 from > > upstream, is it feasible security-wise to keep it in the > > distribution for some years to come? > > I think the opinion of the stable release manager and security team > should rank higher than the maintainer also. If the RM and or security team feel that a package is likely to be the cause of too much grief for them to support security fixes for, they should explain that fact to the maintainer(s) (if at all possible) and let the maintainer(s) determine if they will take on the burden of supporting the package in stable as well. If the maintainer doesn't want that burden,[1] the maintainer should file a severity serious bug against the package to keep it from being released in stable. In the case of this particular package, the codebase isn't going to rapidly diverge from stable, so any fix that needs to be made in sarge or etch or $release will have to be made in sid as well. Ideally (heh) the security team will just be able to apply the patch the maintainer(s) apply in sid. Whatever the case, if anyone feels that this (or *ANY*) package is a security risk, audit it and file bugs against it. Claiming that there may be security bugs that will possibly be swept under the rug at some future date when sarge releases[2] just isn't going to do anything for me. Don Armstrong 1: I'd argue that anyone who doesn't actually want to support (or at least help support) their package with security fixes, etc. in stable probably should already have such a bug filed in the BTS or should be making sure that they've kept the security team well stocked with alchohol or whatever tasty bribe the security team prefers. [Or make users of the package aware of the fact that they'll need to bribe the security team. ;-)] 2: Vigorously beating a sledgehammer into a tree -- The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair. -- Douglas Adams _Mostly Harmless_ http://www.donarmstrong.com http://rzlab.ucr.edu
Attachment:
signature.asc
Description: Digital signature