Secure testing team - May 2008 - Obsolete (testing) packages in security.debian.org

Hi all,
I think I''ve noticed a (minor) issue in how testing-security updates
are handled.

As an example, let''s take a look at php4.
It was removed from unstable back on July 2007 and from testing on
October 2007: http://packages.qa.debian.org/p/php4.html

OK, but there''s still a testing-security update floating around on
security.debian.org:

  $ apt-cache policy php4
  php4:
    Installed: (none)
    Candidate: 6:4.4.4-9+lenny1
    Version table:
       6:4.4.4-9+lenny1 0
          500 http://security.debian.org testing/updates/main Packages

As a consequence, a testing box with php4 installed would not yet
consider such a package as obsolete.  In other words, the command:

  $ aptitude search ~o

would not detect the presence of a package that''s no longer supported
security-wise.

This is not a serious issue, since Debian testing users should try to
avoid "sleeping" anyway  ;-)  but having more ways to realize that a
package should be removed is always good.
That is to say: I think that packages should be automatically removed
from security.debian.org testing/updates, as soon as they have been
removed from *both* unstable *and* testing. 

Another case where a package should IMHO be automatically removed from
security.debian.org testing/updates is whenever it has been superseded
by a more recent version that finally managed to migrate from unstable
to testing (maybe after waiting for, say, a week, just to be sure the
new version has propagated to the majority of Debian mirrors...).

What do you think about the above ideas?
Do they make sense?


P.S.: Please Cc: me on replies, as I am not a list subscriber.  Thanks.


-- 
 http://frx.netsons.org/doc/index.html#nanodocs
 The nano-document series is here!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080517/c6b8783b/attachment.pgp

Hi Francesco,

On Saturday 17 May 2008 15:58, Francesco Poli wrote:
> As an example, let''s take a look at php4.
> It was removed from unstable back on July 2007 and from testing on
> October 2007: http://packages.qa.debian.org/p/php4.html
>
> OK, but there''s still a testing-security update floating around on
> security.debian.org:
> Another case where a package should IMHO be automatically removed from
> security.debian.org testing/updates is whenever it has been superseded
> by a more recent version 
> What do you think about the above ideas?
> Do they make sense?
They make very much sense, that''s why there''s already a bug
open on it :-)
See #464045.


cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080517/c58d076b/attachment.pgp

On Sat, 17 May 2008 16:07:46 +0200 Thijs Kinkhorst wrote:

[...]
> On Saturday 17 May 2008 15:58, Francesco Poli wrote:
[...]
> > What do you think about the above ideas?
> > Do they make sense?
> 
> They make very much sense, that''s why there''s already a
bug open on it :-)
> See #464045.
Heh!  ;-)
Same exact ideas and same example as well!!

I haven''t thought that I should have checked the BTS first: sorry for
that.

-- 
 http://frx.netsons.org/doc/index.html#nanodocs
 The nano-document series is here!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080517/83d4eb14/attachment.pgp