| 1 |
On 10/31/06, Stephen Bennett <spb@g.o> wrote: |
| 2 |
> Having a system that actually works is usually reckoned to be more |
| 3 |
> important than patching minor security holes on architectures that |
| 4 |
> aren't security-supported anyway. On systems that are almost never used |
| 5 |
> in production or in externally visible roles, security bugs are much |
| 6 |
> akin to simple enhancements to a package that already works, and fixing |
| 7 |
> packages that don't work takes precedence. |
| 8 |
|
| 9 |
Thanks for that. It's much appreciated. |
| 10 |
|
| 11 |
This leaves package maintainers in the situation that there are |
| 12 |
'old'/'insecure'/<insert preferred adjective here> versions of |
| 13 |
packages that are hanging around only because arches have fallen |
| 14 |
behind. Package maintainers want to be able to remove these old |
| 15 |
versions, but currently cannot because of keywording-lag. |
| 16 |
|
| 17 |
At the moment, it looks like there are a few choices: |
| 18 |
|
| 19 |
1) Leave the older versions in the tree, even though they are |
| 20 |
insecure and possibly/probably no longer supported by package |
| 21 |
maintainers. This keeps minority arches happy at the expense of the |
| 22 |
larger group of package maintainers. |
| 23 |
|
| 24 |
2) Or, remove the older versions from the tree after a suitable |
| 25 |
waiting period (say, 3 months for arguments sake). This will keep |
| 26 |
package maintainers happy, and our users (less cruft in the tree to |
| 27 |
rsync and metadata-cache), but causes real trouble for minority |
| 28 |
arches. |
| 29 |
|
| 30 |
3) ?? |
| 31 |
|
| 32 |
Best regards, |
| 33 |
Stu |
| 34 |
-- |
| 35 |
-- |
| 36 |
gentoo-dev@g.o mailing list |
Archives