"Thijs Kinkhorst" <[EMAIL PROTECTED]> writes: > Hi Emilio, > >> I would also consider removing it from stable, as I think the security >> team cannot support it. > > The security team for stable often supports versions that are upstream > abandoned. The question is whether such a thing is feasible for a package. > In this case I see just one open security issue in the tracker, for which > a patch is available. I therefore see no immediate need to remove the > package from stable.
I think the problem with this package is that the version in stable/testing is old enough so recent advisories about b2evolution don't ever bother to check if the problem exists in 0.9.2. So then it is a lot of work for the security team/users to check if any new advisory applies to such and old version of the packages and then write/adapt a patch. Who knows, security by obsolescence sometimes works. :) I asked the removal from stable because IMVHO installing b2evolution as is now in Etch is just asking for [security] trouble. The package is 9 major versions behind upstream! (0.9 -> 1.6 -> 1.8 -> 1.9 -> 1.10 -> 2.0 -> 2.1 -> 2.2 -> 2.3 -> 2.4) I'm getting a lot of attacks in the logs for b2evolution, ATM none didn't work as they targeted to higher versions of the software, but it wouldn't surprise me if one day one of them works, given that b2evolution is written in php and the attack patterns are similar. I just switched all my installs. In fact, I guess the package should be orphaned and removed from Debian if a new maintainer doesn't step up, as Xavier Luthi (the original maintainer) is not around (I didn't see him in mentors either). Thanks a lot for your work, Emilio -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
