Francesco Poli
2008-May-17 13:58 UTC
[Secure-testing-team] Obsolete (testing) packages in security.debian.org
Hi all, I think I''ve noticed a (minor) issue in how testing-security updates are handled. As an example, let''s take a look at php4. It was removed from unstable back on July 2007 and from testing on October 2007: http://packages.qa.debian.org/p/php4.html OK, but there''s still a testing-security update floating around on security.debian.org: $ apt-cache policy php4 php4: Installed: (none) Candidate: 6:4.4.4-9+lenny1 Version table: 6:4.4.4-9+lenny1 0 500 http://security.debian.org testing/updates/main Packages As a consequence, a testing box with php4 installed would not yet consider such a package as obsolete. In other words, the command: $ aptitude search ~o would not detect the presence of a package that''s no longer supported security-wise. This is not a serious issue, since Debian testing users should try to avoid "sleeping" anyway ;-) but having more ways to realize that a package should be removed is always good. That is to say: I think that packages should be automatically removed from security.debian.org testing/updates, as soon as they have been removed from *both* unstable *and* testing. Another case where a package should IMHO be automatically removed from security.debian.org testing/updates is whenever it has been superseded by a more recent version that finally managed to migrate from unstable to testing (maybe after waiting for, say, a week, just to be sure the new version has propagated to the majority of Debian mirrors...). What do you think about the above ideas? Do they make sense? P.S.: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/index.html#nanodocs The nano-document series is here! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080517/c6b8783b/attachment.pgp
Thijs Kinkhorst
2008-May-17 14:07 UTC
[Secure-testing-team] Obsolete (testing) packages in security.debian.org
Hi Francesco, On Saturday 17 May 2008 15:58, Francesco Poli wrote:> As an example, let''s take a look at php4. > It was removed from unstable back on July 2007 and from testing on > October 2007: http://packages.qa.debian.org/p/php4.html > > OK, but there''s still a testing-security update floating around on > security.debian.org:> Another case where a package should IMHO be automatically removed from > security.debian.org testing/updates is whenever it has been superseded > by a more recent version> What do you think about the above ideas? > Do they make sense?They make very much sense, that''s why there''s already a bug open on it :-) See #464045. cheers, Thijs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080517/c58d076b/attachment.pgp
Francesco Poli
2008-May-17 14:19 UTC
[Secure-testing-team] Obsolete (testing) packages in security.debian.org
On Sat, 17 May 2008 16:07:46 +0200 Thijs Kinkhorst wrote: [...]> On Saturday 17 May 2008 15:58, Francesco Poli wrote:[...]> > What do you think about the above ideas? > > Do they make sense? > > They make very much sense, that''s why there''s already a bug open on it :-) > See #464045.Heh! ;-) Same exact ideas and same example as well!! I haven''t thought that I should have checked the BTS first: sorry for that. -- http://frx.netsons.org/doc/index.html#nanodocs The nano-document series is here! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080517/83d4eb14/attachment.pgp