Hey. On Mon, 2012-06-25 at 19:35 +0200, Axel Beckert wrote: > Right. But after wheezy the whole stuff will likely be removed from > the package anyway upgrades from Oldstable to Stable+1 are not > supported. Of course,... I just wondered whether they can go away during wheezy?
> > Well if someone has removed gpgv it's his own fault and he'll simply > > have to kill the running screen sessions. > Or "trust" his mirror. Where the NSA is already waiting ;-) > > - OTOH, as you already provide information that 4.1 cannot connect to > > pre 4.1 in the NEWS file, > ... and via debconf and the release notes! :-) btw: I saw so often changes in Debian, which are really critical, often even highly security critical (e.g. the php drop from mime-support)... and no-one thought above the horizon.... or even cared very much when pointing them on it... So really great how much you already did for something, where others would likely have said... just let them kill those stupid old screen sessions... > Sure. Putting it in the release notes is just another way to ensure > that as many potentiallt affected users are informed. Yep! > Easy. Remote dist-upgrade via SSH. Use screen to be secured against > temporary connection loss or change of the client's IP. Of course... but then... simply bad luck,... especially if a user already ignored all warnings and so on... > At some point of the dist-upgrade, screen is upgraded. The old version > still runs as server, but the client on disk is already the new > version. As long as the screen client runs, everything is fine. Of course. > > The only one I can imagine is: > > The user is upgrading screen with apt-get/aptitude/dpkg... > > He can only do so, if no apt-get/aptitude/dpkg are running, because > > otherwise, they would be locked. > > Sorry, but I don't get that. "upgrading ... if no > apt-get/aptitude/dpkg are running" doesn't make much sense to me. I meant... not further apt-get/dpkg... in another screen session. But of course your point, that the current screen sessions could detach for e.g. lost connection,... is of course all but impossible > > So when he leaves or quits it, > You mean "detach"? yep.. Well I from my side am basically fine with all options we have now: If you keep your simple wget as it is now, just add a note, that this alone is absolutely insecure, and the user must verify the package integrity by some way. Optionally referring them to you or mailinglists... I doubt there will be many requests. Or include a small howto with enough hints on what to check. Or a script wich does all that. I personally, would however place neither of the two in the NEWS.Debian but somewhere in /u/s/d/screen/ and just refer to them in NEWS.Debian Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
