[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)



hi,

(this started as a discussion whether to update radare2 in (old)stable
and has since then evolved into a discussion about the problem
summarized well by Raphael.)

On Thu, Aug 29, 2019 at 01:48:14PM +0200, Raphael Hertzog wrote:
> On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote:
> > The upstream link makes it sound as if they are one of those upstreams
> > which reject the idea of distributions shipping an older release to
> > a stable distro. For a tool like radare2 that seems fair enough, so
> > how about simply excluding it from stable releases (and retroactively
> > drop it from Buster/Stretch in the forthcoming point releases)?
> 
> <pkg-security hat>
> While I have no problem in getting it out of stable release, it is
> important that we are able to provide backports so the package must
> stay in Debian testing. 
> </pkg-security hat>
> 
> <kali hat>
> Also radare2 is a package that we care about in Kali and we are based
> on Debian testing so we would prefer if it could continue to be there.
> </kali hat>
> 
> In general, we (Debian) don't have a good answer to this problem and
> virtualbox is clearly a bad precedent. We really need to find a solution
> to this in concertation with the release managers.

so I've added them to this thread.

youtube-dl is in the same boat...


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Attachment: signature.asc
Description: PGP signature


Reply to: