Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: sre@debian.org, bengen@debian.org, debian-lts@lists.debian.org, debian-security@lists.debian.org
Subject: Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
From: Raphael Hertzog <hertzog@debian.org>
Date: Thu, 29 Aug 2019 13:48:14 +0200
Message-id: <[🔎] 20190829114814.GA17510@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, sre@debian.org, bengen@debian.org, debian-lts@lists.debian.org, debian-security@lists.debian.org
In-reply-to: <[🔎] 20190829073639.GA17377@pisco.westfalen.local>
References: <5d570e0e85913_3a23fad60a3dc14623269@godard.mail> <[🔎] 20190816204054.rcqwvev6yahxntcc@layer-acht.org> <[🔎] b5fd4df6-ed56-f76a-df2c-8cadcfb02b47@debian.org> <[🔎] 20190829073639.GA17377@pisco.westfalen.local>

Hi,

On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote:
> The upstream link makes it sound as if they are one of those upstreams
> which reject the idea of distributions shipping an older release to
> a stable distro. For a tool like radare2 that seems fair enough, so
> how about simply excluding it from stable releases (and retroactively
> drop it from Buster/Stretch in the forthcoming point releases)?

<pkg-security hat>
While I have no problem in getting it out of stable release, it is
important that we are able to provide backports so the package must
stay in Debian testing. 
</pkg-security hat>

<kali hat>
Also radare2 is a package that we care about in Kali and we are based
on Debian testing so we would prefer if it could continue to be there.
</kali hat>

In general, we (Debian) don't have a good answer to this problem and
virtualbox is clearly a bad precedent. We really need to find a solution
to this in concertation with the release managers.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Reply to:

Follow-Ups:
- how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
  - From: Holger Levsen <holger@layer-acht.org>
- Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
  - From: Markus Koschany <apo@debian.org>
- Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
Next by Date: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)
Previous by thread: Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
Next by thread: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)
Index(es):
- Date
- Thread