On Wed, Nov 09, 2016 at 11:16:36AM +0800, Paul Wise wrote: > On Wed, Nov 9, 2016 at 1:36 AM, Emilio Pozuelo Monfort wrote: > > > Right. We want auto-removals to be useful for the release process, so that > > we > > don't end up with a thousand of RC bugs in testing when we freeze, most of > > them > > on packages that nobody cares about, not even their maintainers. > > > > However, we don't want auto-removals to drop your package behind your back. > > If > > that happens, that's a bad thing and you should let us know so we can fix > > things. auto-removals should notify the maintainer in advance, and only act > > after a reasonable period of time. > > > > The "packages can't re-enter testing during the freeze" is an incentive so > > that > > maintainers don't wait to fix a package after a few months, and so that we > > don't > > have to go and remove them manually. This way you know that something is > > going > > to happen if you don't act, yet you should have a reasonable amount of time > > to > > do something. Hopefully this helps have a short(er) freeze, which is good > > for > > everyone. > > FYI, it looks like at least buildd stuff (IIRC that uses dose3), > rt.d.o, snapshot.d.o and the Debian VoIP services will need to remain > on jessie until the affected packages reach stretch-backports
Is anyone tracking what packages are installed from backports on Debian machines, and the CVEs in them? Using backports without doing that would be irresponsible. > as a > result of the autoremovals stuff: > > https://lists.debian.org/debian-services-admin/2016/10/msg00002.html >... Package removals from unstable are also a potential problem, example: ==> vogler.debian.org <== New packages removed from Debian 'testing' (the maintainer might need help): - freeradius - https://tracker.debian.org/pkg/freeradius - freeradius-common - https://tracker.debian.org/pkg/freeradius - freeradius-utils - https://tracker.debian.org/pkg/freeradius - libfreeradius2 - https://tracker.debian.org/pkg/freeradius https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806617#22 The maintainer wanted to remove this package from *unstable*. FreeRADIUS is popular enough that people noticed before an RM: bug was filed, and new maintainers were found immediately. Other packages are not that popular. If any packages needed on these Debian machines have been removed from unstable, they are not on your list. This is the reason why a ITP/RM revolving door is creating huge headaches for users. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
