[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639645: opu: package xpdf/3.02-1.4+lenny4


On Wed, Sep 28, 2011 at 09:19:57PM -0400, Michael Gilbert wrote:
> Michael Gilbert wrote:
> > > In any case, I'm not entirely convinced that a NEWS file is the
> > > right location to be making a statement that seems in danger of
> > > approaching "this package isn't getting security support in lenny".
> > So, an EOL could be declared on t1lib, but there are many dependencies
> > on it.  So, I saw the news file as more of a tool to educate the user
> > on what to do to disable t1lib if they actually see these issues as
> > concerns.  Another possibility would be to set t1lib=no in the default
> > xpdfrc (which disables it) with instructions in NEWS.Debian on how to
> > reenable it.
> Any thoughts on what the right thing to do is here?  Whatever the
> decision, that's what I'll implement, and I would really like to get
> this into the upcoming lenny proposed-update.

it's certainly too late for the point release on this weekend.  The deadline
was Sunday.

That said, I really don't want to introduce behaviour changes due to security
updates in a point release.  Instead there should be a proper announcement
stating the pros and cons of re-enabling t1 support for those who need it, if
it's going to be deactivated by default.  Point releases are supposed to be
non-breaking bugfixes, it should not be needed to read the announcement for
them.  For security updates there are often important information in the
announcement, like the dropped support for some Java VM variants in DSA 2311-1.

So if you feel that this is important enough to disable the functionality and
that the functionality is used widely enough that it warrants that the users
ought to be informed about the regression, please make sure that an
announcement is made to the proper venue, which is -security-announce.  

Kind regards,
Philipp Kern
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: