1 |
On 10/31/06, Stephen Bennett <spb@g.o> wrote: |
2 |
> Having a system that actually works is usually reckoned to be more |
3 |
> important than patching minor security holes on architectures that |
4 |
> aren't security-supported anyway. On systems that are almost never used |
5 |
> in production or in externally visible roles, security bugs are much |
6 |
> akin to simple enhancements to a package that already works, and fixing |
7 |
> packages that don't work takes precedence. |
8 |
|
9 |
Thanks for that. It's much appreciated. |
10 |
|
11 |
This leaves package maintainers in the situation that there are |
12 |
'old'/'insecure'/<insert preferred adjective here> versions of |
13 |
packages that are hanging around only because arches have fallen |
14 |
behind. Package maintainers want to be able to remove these old |
15 |
versions, but currently cannot because of keywording-lag. |
16 |
|
17 |
At the moment, it looks like there are a few choices: |
18 |
|
19 |
1) Leave the older versions in the tree, even though they are |
20 |
insecure and possibly/probably no longer supported by package |
21 |
maintainers. This keeps minority arches happy at the expense of the |
22 |
larger group of package maintainers. |
23 |
|
24 |
2) Or, remove the older versions from the tree after a suitable |
25 |
waiting period (say, 3 months for arguments sake). This will keep |
26 |
package maintainers happy, and our users (less cruft in the tree to |
27 |
rsync and metadata-cache), but causes real trouble for minority |
28 |
arches. |
29 |
|
30 |
3) ?? |
31 |
|
32 |
Best regards, |
33 |
Stu |
34 |
-- |
35 |
-- |
36 |
gentoo-dev@g.o mailing list |