Hi there,
going through these template checks is somehow similar to root canal
treatment: It's done with best intentions, it actually doesn't hurt
that much but still isn't a very pleasant experience. Trust me, I've
been through both. Having said that, part of the lame excuse why I
didn't get back to you earlier ...
I'll try to keep this short. Assume ACK to the things that I don't
answer neither here nor in another mail.
Justin B Rye wrote...
> > - The following packages found on your system are affected by this.
> > + The following packages found on this system are affected by this:
> > .
> > ${MESSAGE}
>
> I gather this template text is echoed by runtime messages from
> binaries in the package (since there's a messages.po with the same
> grammar problem). Should I give you a patch for that too?
Please do so (it seems you've done already). The po/messages.po
catalog file and check-support-status.txt manpage should be part of
any translation.
> > - For some Debian packages, maintaining security support is not
> > + For some packages, maintaining security support is not
Please keep the Debian word. This whole package is about how Debian
supports certain packages, and I'd like to avoid an erroneous
assumption this was something that is upstream-driven.
> Talking about "the regular security maintenance life cycle" worked in
> the templates, but here it's not clear what "life cycle" you're
> talking about - it might be the "software life cycle" (from
> proof-of-concept to mature project to death-by-bitrot) of the
> packages. And besides, once we start setting things up to allow an
> oldstable-LTS with incomplete security coverage, surely that *is* the
> planned security maintenance life cycle?
This *is* mostly about squeeze-lts actually. So for that one, the life
cycle will end in spring 2016. Should we add the "Debian" word to "the
regular security maintenance life cycle" to clarify?
> Do I understand that it does this by *containing lists* of packages
> with such limits?
These lists are indeed part of the package.
> Okay, so if LibreOffice (say) declares that the
> version of their software in stable is now unsupported, how is that
> information going to reach users who have debian-security-support
> already installed (apart from "via the security mailinglists they
> should also be subscribed to", that is)?
Upstream has no control here. It's the Debian security team who
decides to end support, but of course upstream's moves have some
influence on that. If such a decision is made, the team will also
release a new version of debian-security-support with an updated
list.
> I would have expected this
> package to have a cron-job downloading new lists and comparing them to
> "dpkg -l" output, or maybe to receive package updates via the security
> repository and automatically check for alerts via an apt hook. But
> instead it seems to be essentially manual - is that correct?
Ending security support before end of the regular Debian security
maintenance life cycle does not happen that often, in the past this
has been two or three times a year if I recall correctly.
Keep in mind several Debian installations have very limited network
access, so fetching everything from the net isn't always possible (and
that's why I'm in favour of Debian since enforcing such a policy is
possible here).
[ debian/control ]
> +Description: security support coverage checker
> + For some packages, it is not feasible to maintain full security
> + support for all use cases through the full distribution release
> + cycle.
Again, more "Debian" here (using wdiff style):
> +Description: {+Debian+} security support coverage checker
> + For some {+Debian+} packages, it is not feasible to maintain full security
Christoph
Attachment:
signature.asc
Description: Digital signature