Hi, * Giacomo Catenazzi <c...@debian.org> [2010-07-31 17:52]: > On 07/31/2010 04:38 PM, Nico Golde wrote: > >Package: ftp.debian.org > >Severity: normal > > > >I hereby request the removal of lxr from the archive, it should not be > >included in squeeze as well. > > > >The version that our package is currently based on is 0.3 (from 2003), which > >is light years behind upstream, has security bugs and not properly > >maintained. > >See e.g. #588138 and #585411. Probably #575745 affects lxr as well, hard to > >tell > >though, the code heavily differs since it's so old. > > > >There has been no move from the maintainer towards packaging current upstream > >versions and given the small number of popcon installations this doesn't have > >an impact on many users. > > No. please wait. I agree that there are problems but: > - I would not include it squeeze anyway
Did I miss the removal request for squeeze then? > - let go before the security fixes in lxr, than we could see if we > could remove it. I don't understand this part. > BTW most of security bugs are only in lxr-cvs, which is an > "enhancement" of lxr with other upstreams. What do you mean by most? The affected once are filed in the BTS and I did state that #575745 probably affects lxr as well. > One of the enhancement was to allow cross-referencing many languages, thus > doing indirect regex and other more complex tasks, inducing > such errors. None of the bugs that are currently open have been introduced due to such things but affect rather general functionality. > LXR instead has hardcoded C decoding, and it seems with > many less errors. > > For now I would remove lxr and lxr-cvs from squeeze, and > I'll ask upstream what are their plan, and probably I propose > to remove also lxr-cvs. There is no need to remove lxr-cvs as I just prepared an NMU for it. As for lxr my opinion stands. If you can properly maintain it, it has no place in the archive. Proper maintenance includes keeping up2date with upstream version (which would solve all your problems in this case from what I see). There isn't even the need to remove anything if you would keep up with upstream. > PS: I would use some debconf time to improve the situation so > that users will not have security problem after we remove > the packages. Again, see the NMU I prepared for lxr-cvs, it should be fine. For lxr I think there is hardly much todo apart from upgrading to the current upstream version which you haven't done for quite a long. Thus the removal request. If that changes now fine, then I see no reason to remove it. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgptMwLWtShyL.pgp
Description: PGP signature
