Re: How should we handle greenbone-security-assistant?

[Raphael Hertzog <hertzog@debian.org>]

On Thu, 17 Dec 2020, Adrian Bunk wrote:
> > - ease of installation and reliability
> >   => we are doing bad now because many useful things are not packaged
> 
> What is the value added just by installing things through dpkg instead 
> of npm?

Why are you using Debian if you ask this?

On the top of my head:
- as a user, I like to have to only know about "apt/dpkg" instead
  of pip/npm/gem/...
- the Debian maintainer is ensuring some consistency that a random
  collection of uptsream installations are not enusring
- simple and consisten upgrade process
- etc.

> >   (due to the mismatch between our rules and those not-longer-so-new
> >   ecosystems) and when users have to manually install, the reliability
> >   goes down...
> 
> What reliability do you have with a 3 year old version of software where
> upstream only tells your users to upgrade to the latest versions?
> 
> The "changed paradigm" usually includes automatic updates to the latest
> version without any maintainance of older versions.

Indeed. We should have room for such software that should only be provided
within our rolling distribution and as backports.

> This is the easy part.
> How do you plan to fix all vulnerable versions?

By providing the latest and greatest version to all our users. As you
noticed, that kind of software does not mesh well with stable and LTS.

And at least anyone that is not installing the latest version can have
an idea of whether it's important/urgent for them to upgrade or not.

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog@debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS