Hi Robie, I totally agree that if this is Debian policy, that the functionality should be disabled. I'm not saying that Lynis should be an exception and don't think Lynis is special in any way :)
Just to clarify: the reasoning that I gave for automatic update checking was meant generic, as Lynis is not Debian-specific software. The automatic update check is there as it applies to all packages and even standalone (git clone/tarball) usage. We want to encourage people to keep their software up-to-date. Still, it is totally fine if Debian/Ubuntu/CentOS users decide to use the repositories and therefore have older/stable versions. Regarding newer Lynis versions in the Debian repositories: that is under control of the package maintainer. We (=the main developers of the Lynis project) provide an external repository for those users that want to use the very latest version. Cheers, Michael On Fri, Oct 4, 2019 at 10:37 AM Robie Basak <ro...@justgohome.co.uk> wrote: > On Mon, Sep 30, 2019 at 12:39:33PM +0200, Michael Boelen wrote: > > Although I can understand the sentiment of disabling "phoning home" > > functionality, it is there with a good reason. It helps people to learn > > when their software is (very) outdated, especially when it comes to > doing a > > security audit. Using old software to perform an audit has its own risks. > > I understand that this is born out of good intentions. However, consider > that Debian users understand that the mechanism for getting software > updated, and checking for updates, is "apt-get". They _want_ a unified > way of doing this: that's why they're using a distribution, and why they > installed lynis from the distribution archive! There are mechanisms to > notify users of software needing an update via apt, and better still, > it's unified. And if a Debian user is using an older Debian release, > they have deliberately chosen that path, or at least are generally aware > of it. > > Consider what would happen if every piece of software in Debian followed > this same behaviour. > > I understand that you consider lynis to be special, but so might many > other upstream maintainers of similarly sensitive software, so we'd end > up in the same undesirable situation. > > Instead, if there are specific issues with the lynis package in existing > Debian releases, please file those separately, and the maintainer will > be able to fix them according to Debian's stable update and security > policies - thus giving Debian users the unified release management they > expect. You could also ship newer lynis releases into the Debian > backports repository for users who wish to opt-in. > > > Hope this helps at least with improving the Debian package, > > Thank you for helping out in Debian! > > Robie > > [1] https://wiki.debian.org/ReproducibleBuilds >
