Re: calibre / CVE-2018-7889
On Wed, 11 Apr 2018, Antoine Beaupré wrote:
> 1. removing the package from dla-needed.txt
> 2. adding the package as unsupported in debian-security-support
> 3. (do we send end-of-life announcements to debian-lts-announce when we
> do that?)
It's easy to mark packages as unsupported and to find many reasons to
justify this choice but we should refrain from doing so. This is
a last-resort decision and I don't think it's really warranted here.
We have a patch for the bookmark handling, let's just apply it. The
other issue about metadata can probably be ignored because it requires
the user to upload a malicious files as metadata associated to one
of its book... and it's not like the malicious file could be hidden
as a modified cover picture or something like this.
We're not short on time, let's handle it properly. While our sponsors
are mainly companies interested in server software, we strive to support
all packages and I have heard multiple times stories of desktop users who
are happy to continue to run what's in their old release.
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/