On Mon, Sep 30, 2019 at 12:39:33PM +0200, Michael Boelen wrote: > Although I can understand the sentiment of disabling "phoning home" > functionality, it is there with a good reason. It helps people to learn > when their software is (very) outdated, especially when it comes to doing a > security audit. Using old software to perform an audit has its own risks.
I understand that this is born out of good intentions. However, consider that Debian users understand that the mechanism for getting software updated, and checking for updates, is "apt-get". They _want_ a unified way of doing this: that's why they're using a distribution, and why they installed lynis from the distribution archive! There are mechanisms to notify users of software needing an update via apt, and better still, it's unified. And if a Debian user is using an older Debian release, they have deliberately chosen that path, or at least are generally aware of it. Consider what would happen if every piece of software in Debian followed this same behaviour. I understand that you consider lynis to be special, but so might many other upstream maintainers of similarly sensitive software, so we'd end up in the same undesirable situation. Instead, if there are specific issues with the lynis package in existing Debian releases, please file those separately, and the maintainer will be able to fix them according to Debian's stable update and security policies - thus giving Debian users the unified release management they expect. You could also ship newer lynis releases into the Debian backports repository for users who wish to opt-in. > Hope this helps at least with improving the Debian package, Thank you for helping out in Debian! Robie [1] https://wiki.debian.org/ReproducibleBuilds
signature.asc
Description: PGP signature
