[removing pkg-voip and security team members from the Cc list since they will get the mail]
Moritz Muehlenhoff wrote: > For Etch we need to bite the bullet and continue to support it (see my > previous > mail to Faidon), but with the current strain of vulnerabilities (19 in 2007 > alone!) > we can't support it for Lenny again. In some cases we need to accept > notoriously > error-prone packages because they are terribly important (like PHP and > Linux), but > we can't do that for Asterisk. > > For Lenny I see three solutions: (in order of my personal preferrence) > 1. Move it to volatile.debian.org and support it through builds of the > current Digium > maintenance release > 2. Drop it from stable and support it out of the archive through builds of > the current > Digium maintenance release > 3. For Lenny we'll most likely have a way to flag packages not having > security support > (see #436161). So, it could be included in Lenny w/o security support. > There might > still be use cases, e.g. a company-wide internal PBX. I have to say that I find all of these unacceptable. Granted, Asterisk had some vulnerabilities recently -which IMHO is because it's getting more attention recently- but upstream has a good record responding to these in time with code and even their own advisories! They even provide security updates to their old major version (1.2) at the same time as the new one (1.4) which fits our release cycle. The fixes are easily spotted since they do have both of their VCS and BTS open: the commit messages refer to the advisory and the advisories link to the bug. In the fixes I sent you, the patches are from their repository *completely* unchanged. They applied cleanly to our version! Other vendors and distributions security support Asterisk, including Ubuntu which contains versions of ours. Granted, we have a very very bad record as maintainers of supporting this security-wise but I think we can try to change that. I certainly will try my best to provide you with patched versions to upload. I haven't discuss this with the rest of the team yet but I think they are willing of helping with this. I don't think that it serves our users to not provide security support for asterisk, especially considering its popularity. Regards, Faidon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
