Re: Naming scheme of fis-gtm binary packages (Was: Bug#1009900: fis-gtm: Multiple CVEs in fis-gtm)
- To: debian-med@lists.debian.org, "Shah, Amul" <Amul.Shah@fisglobal.com>
- Subject: Re: Naming scheme of fis-gtm binary packages (Was: Bug#1009900: fis-gtm: Multiple CVEs in fis-gtm)
- From: Andreas Tille <andreas@an3as.eu>
- Date: Fri, 12 Aug 2022 14:36:26 +0200
- Message-id: <[🔎] YvZJStQcYoTJaIiH@an3as.eu>
- In-reply-to: <YuTEt0t8qvg8z8aH@an3as.eu>
- References: <DB9PR08MB6555030F1A128B001550FF3AEBAC9@DB9PR08MB6555.eurprd08.prod.outlook.com> <Yqs6jbUUJ9P3pG8V@an3as.eu> <DB9PR08MB655538006C985A7861C79EBFEBAC9@DB9PR08MB6555.eurprd08.prod.outlook.com> <Yqw+/H/WUnFuuP1D@an3as.eu> <DB9PR08MB65554F7B18855E68A817BE71EBAF9@DB9PR08MB6555.eurprd08.prod.outlook.com> <DB9PR08MB6555AC90C65E2AF1148E2E90EB879@DB9PR08MB6555.eurprd08.prod.outlook.com> <Ys0KLTCDd0z1S0n7@an3as.eu> <YuOSldxPtAbqtmvE@an3as.eu> <YuPwWdMrgX8VUoBo@hermes.hilbert.loc> <YuTEt0t8qvg8z8aH@an3as.eu>
Hi again,
Amul, can you please, pretty please get to some decision *right now* and
than we act accordingly? Leaving CVEs unattended just because there is
a package name discussion pending is not acceptable. If I do not hear
from you until Monday I will throw a coin and do what the coin says. We
can revert the decision of the coin afterwards once there is another
reason for an upload.
Kind regards
Andreas.
Am Sat, Jul 30, 2022 at 07:42:15AM +0200 schrieb Andreas Tille:
> Hi Karsten,
>
> I do not mind, to keep the numbering scheme if it makes sense and
> reflects the truth. It just needs do be done in a timely manner. Long
> standing open CVEs are not acceptable. The current decision should be
> drawn quickly and acted accordingly. I hope I made the consequences to
> keep the current versioning scheme clear and if the price is worth
> paying than it should be payed. Just doing nothing is wrong in the
> current situation.
>
> Kind regards
> Andreas.
>
> Am Fri, Jul 29, 2022 at 04:36:09PM +0200 schrieb Karsten Hilbert:
> > Am Fri, Jul 29, 2022 at 09:56:05AM +0200 schrieb Andreas (Debian):
> >
> > > I wonder if there is some decision about the naming scheme. I *really*
> > > want to get the CVE bugs fixed. Users might consider Debian packages
> > > useless otherwise.
> >
> > As far as I remember the "Mumps community" considers each and
> > every release "potentially incompatible".
> >
> > This may or may not be true, and it may or may not be wise,
> > regardless of truth.
> >
> > I would think that there should be an external repository
> > being run by, say, fis.gtm, which carries "each and every"
> > minor release as an installable package. This is similar to
> > what PostgreSQL offers. Additionally, in order to lower the
> > barrier for entry, there should be official, in-Debian,
> > "stable" packages, say v6, v7, ... which carry the currently
> > latest patch release per major version. Creating those ought
> > to be pretty easy, once the vendor repo is available.
> >
> > Karsten
> > --
> > GPG 40BE 5B0E C98E 1713 AFA6 5BC0 3BEA AC80 7D4F C89B
> >
> >
>
> --
> http://fam-tille.de
>
>
--
http://fam-tille.de
Reply to: