pertusus at free.fr
Wed Dec 5 15:51:13 UTC 2007
On Wed, Dec 05, 2007 at 11:38:01AM +0100, Thorsten Leemhuis wrote:
> On 05.12.2007 11:30, Patrice Dumas wrote:
> > On Mon, Nov 26, 2007 at 05:18:19PM +0100, Thorsten Leemhuis wrote:
> >> Sure it's dangerous and problematic -- but it's IMHO still way better
> >> then to not ship a package just for hypothetical situation where a major
> >> update might be the only way forward if a security issues comes up.
> >> Besides: if we want to update for non-security reasons we can provide
> >> compat packages as well, which should solve parts of the problem.
> > Ok, but then what to do when a security issue is discovered in the
> > package that is also relevant for the compat package but we don't want
> > to backport it? Simply remove the compat package from the repo?
> If there was a warning period or something like that, round about: yes.
> Note that even RHEL does that iirc. Didn't they for example switch from
> mozilla to seamonkey?
But this is not exactly the same, since one obsolete the other. So the
plan could be along obsoleting th ecompat package with the oldest compat
package not having the security flaw? Otherwise the compat package will
stay happily even though it isn't anymore in the repo.
More information about the epel-devel-list