[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to deal with wireshark CVE affecting Squeeze

Hi,

On Sun, 12 Apr 2015, Ben Hutchings wrote:
> On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote:
> [...]
> > I assume this situation is not unique to Wireshark. What do you think,
> > what would be the best for the LTS project in Wireshark's case and
> > what is the general LTS strategy in similar cases?
> 
> I think the best approach would be either:
> a. remove it from support and upload wireshark 1.8 to squeeze-backports
>    if possible, or
> b. upload the backported wireshark 1.8 package to squeeze-lts

I agree with Ben and I actually favor (b) when it doesn't introduce
backwards incompatibilities (ie few risks to break a working setup
just with the upgrade).

And you are right Balint, there are more packages in similar situations.
We should have some discussion on the topic but this list has been rather
quiet when we had concrete questions (like yours), for example about what
to do with mysql 5.1 that is no longer supported upstream and where CVE
details are hard to find. That's why I expect to have some discussion
about this during Debconf (and possibly also today in the minidebconf in
Lyon where I give a talk about Debian).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: