precedent for
> having Debian packages reflect epochs added in third-party repositories
> in general.
>...
Sounds good to me in that case, especially considering that this is a
quite popular 3rd party repository.
> smcv
cu
Adrian
7
> buster: 0:10~2020.08.17
> stretch: 0:9~2020.08.17
> and so on.
>...
> Feedback welcome.
One nitpick:
~ works, but the "before" semantics makes it look confusing.
10~2020.08.17 is the 2020.08.17 snapshot/prerelease before 10.
I would suggest one of
1:11.2020.08.17
1:11+2020.08.17
> cheers,
> Holger
cu
Adrian
d as an excuse for introducing regressions or not
fixing problems
Fixing problems should always be preferred to documenting problems.
> Kind regards,
> Andrei
cu
Adrian
Package: wnpp
Severity: wishlist
Owner: Adrian Alves
* Package name: python-oxd
Version : 2.4.4
Upstream Author : Gluu
* URL : https://github.com/GluuFederation/oxd-python
* License : MIT
Programming Lang: Python
Description : Python bindings for Gluu
lding the packages - this is
then your personal policy, and autobuilders are also able to run the
tests if they want to.
This would allow automated checking that the normal build does not
access the network as well as everyone with privacy concerns to not
opt-in to running them, without making it
uot;
or even "the bug will be fixed in stable".
Policies for updating stable can be changed, but I do not see where to
suddenly find the huge amount of people with the skills, spare time and
enthusiasm to properly debug all issues reported against the ancient
software [1] the users of D
ions of
such packages in stable.
It is not likely that anyone will ever look at these bugs - they are
clutter from the moment they are being reported.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need
at is in one stable release
disappears in the next stable release, and I guess dasher can forever
serve as a good example of critical software having been removed from
unstable without a single good reason.
I am also personally unhappy that creating a patch for the RC bug
triggered remov
security support,[3]
or if he gets no FreeRADIUS in stretch?
FreeRADIUS is high-profile enough that many Debian developers do care
and new maintainers were quickly found. Many other packages are not.
> Scott K
cu
Adrian
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806617#42
[2] th
On Thu, Oct 06, 2016 at 02:46:46PM -0400, Scott Kitterman wrote:
>
>
> On October 6, 2016 8:51:59 AM EDT, Adrian Bunk wrote:
> >On Thu, Oct 06, 2016 at 02:46:44AM -0400, Scott Kitterman wrote:
> >>...
> >> As frustrating as occasional removal/reintroduction cy
isible
immediately when looking at the bug - I thought this was already resolved.
> Cheers,
> Moritz
cu
Adrian
[1] https://buildd.debian.org/status/package.php?p=mariadb-10.0&suite=jessie
--
"Is there not promise of rain?" Ling Tan asked suddenly out
On Sun, Oct 09, 2016 at 11:13:21PM +0100, Adam D. Barratt wrote:
> On Sun, 2016-10-09 at 21:12 +0300, Adrian Bunk wrote:
> > [ adding debian-powerpc ]
> >
> > On Sun, Oct 09, 2016 at 06:54:44PM +0200, Moritz Mühlenhoff wrote:
> > > Niels Thykier schrieb:
> >
s
transport [3] to the installer, which would currently add libcurl and
GnuTLS and more to the installer.
When the https apt transport goes from exotic to mandatory,
its footprint should be reduced.
There might be other places in the distribution that also need changes.
> Toodles,
>paultag
c
, and no SSE at all on i386.
Similar problems exist in your package on arm* regarding OMAP3/OMAP4/NEON.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Mon, Oct 17, 2016 at 03:10:57AM +0100, Ben Hutchings wrote:
> On Sun, 2016-10-16 at 18:57 +0300, Adrian Bunk wrote:
> [...]
> > You should fix your package so that it works on the lowest supported
> > hardware of each port.
>
> Right.
>
> > Autobuilding is
here.
In unstable there are around 3500 packages for perl modules,
and even more for python modules.
The whole JS ecosystem still being a bit immature is a real problem,
but the number of packages itself is not a problem.
I am not a fan of all that JS stuff, but I do not see any valid basis
f
minimum standards?
And who will do the work?
The whole problem is not unique to JS.
See #841113 for a random recent example in C where someone looked
at an ITP.
We are talking about 10 ITPs per day.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
tch, and the result is not even
smaller than the dropbear everyone else uses for that purpose.
To make the NIH complete, it uses own versions of standard C library
string functions and an own (pretty primitive) build system.
cu
Adrian
[1] thank god only in experimenta
the latest time when something like that was
still considered acceptable security.
Today this is just extremely bad sandboxing, and anyone suggesting to
do anything like that in 2016 proves without any doubt that he doesn't
have a clue regarding security.
> Jan
>...
cu
Adrian
--
clue about
security will end up doing something like that.
For the kind of attacks you are describing, https is just snake oil.
> Regards,
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for
also happens to carry the traffic between you and
the Debian mirror you are using, HTTPS won't make a difference.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Onl
On Mon, Oct 24, 2016 at 04:00:49AM -0700, Kristian Erik Hermansen wrote:
> On Mon, Oct 24, 2016 at 1:59 AM, Adrian Bunk wrote:
> but also I should point out that your email is being routed
> insecurely via welho.com and lacks TLS in transit, so I also probably
> shouldn't
On Mon, Oct 24, 2016 at 04:00:39PM +0100, Ian Jackson wrote:
> Adrian Bunk writes ("Re: When should we https our mirrors?"):
>...
> Adrian:
> > Noone is arguing that switching to https would be a bad thing,
> > but whether or not it will happen depends solely on whe
On Mon, Oct 24, 2016 at 09:22:39AM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
> > On Sun, Oct 23, 2016 at 07:28:23PM -0700, Russ Allbery wrote:
>
> >>...
> >> The value of HTTPS lies in its protection against passive snooping. Given
> >> the sad sta
On Mon, Oct 24, 2016 at 04:33:57PM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
>...
> > I would assume this can be pretty automated, and that by NSA standards
> > this is not a hard problem.
>
> Since the entire exchange is encrypted, it's not completely
s
> currently... complicated.
>...
The "must not be compiled with the `-fPIC' flag" unless there is an
exceptional case is still true.
So only a slight update in the wording is required regarding PIE.
cu
Adrian
--
"Is there not
tion you were already considering worth additional work.
> Henrique Holschuh
cu
Adrian
[1] binary and source package
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise,&q
ackage" means that you actually call "autoreconf".
"touch configure.ac" breaks the build of the hello package due to
missing aclocal-1.14
Be prepared to see a lot of such issues when you touch random files.
If you want this to work properly, Debian has to move from usi
nerated from the git metadata.
You are saying it is a bug that .git is not shipped in the source
tarball of GNU hello?
> Regards,
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been ne
On Mon, Oct 31, 2016 at 01:42:26AM +, Ian Jackson wrote:
>...
> Adrian Bunk writes ("Re: Rebuilds with unexpected timestamps"):
> > Be prepared to see a lot of such issues when you touch random files.
>
> I'm certainly expecting to see lots of issues.
>
On Mon, Oct 31, 2016 at 03:58:12PM +, Ian Jackson wrote:
> Adrian Bunk writes ("Re: Rebuilds with unexpected timestamps [and 1 more
> messages]"):
> > On Mon, Oct 31, 2016 at 01:42:26AM +, Ian Jackson wrote:
> ...
> > > If it does "sufficiently diff
On Tue, Nov 01, 2016 at 12:05:38PM +, Ian Jackson wrote:
>...
> Personally I think a Linux kernel tarball, without accompanying git
> history, is a GPL violation.
>...
Why would the git *history* matter for GPL compliance?
You can push from a shallow clone.
>
the
LUA 5.1 static library has not been compiled with the toolchain that
defaults to PIE, and the one and only change required to fix the build
of qcontrol should therefore be to request a binNMU of lua5.1
> Cheers,
> Balint
cu
Adrian
--
"Is there not promise of rain?" Li
e-specific packages
that are only relevant for a subset of the supported hardware on a port?
Half of the stretch release architectures have a popcon lower than 25.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been
s "no", then nothing is a solution that does not also
solve how to notify the user when a new security update of the kernel
was automatically installed on his remote server.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of t
ether this issue is worth
stable updates for > 10 packages.
> -Ralf.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Fri, Nov 04, 2016 at 05:05:33PM -0400, Scott Kitterman wrote:
>
>
> On November 4, 2016 5:01:31 PM EDT, Adrian Bunk wrote:
> >On Fri, Nov 04, 2016 at 09:22:02PM +0100, Ralf Treinen wrote:
> >> Hi,
> >
> >Hi Ralf,
> >
> >> in the Colis proj
On Fri, Nov 04, 2016 at 10:21:13PM +0100, Ralf Treinen wrote:
> On Fri, Nov 04, 2016 at 11:01:31PM +0200, Adrian Bunk wrote:
> > On Fri, Nov 04, 2016 at 09:22:02PM +0100, Ralf Treinen wrote:
> > > Hi,
> >
> > Hi Ralf,
> >
> > > in the Colis project (w
dding libssl1.0-dev dependencies to libqt4-dev and qtbase5-dev.
After that, trying to compile any Qt-using package with the wrong
OpenSSL should fail due to unsatisfiable build dependencies.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked sudden
On Fri, Nov 04, 2016 at 10:27:00PM +, Holger Levsen wrote:
> On Fri, Nov 04, 2016 at 10:51:15PM +0200, Adrian Bunk wrote:
> > Should Debian also default to automatically reboot?
> >
> > If the answer is "no", then nothing is a solution that does not also
> &
ansiontion freeze is today (sic).
This is exactly to ensure that no new disruptive library changes can
be started after today.
> Cheers,
>
> Thomas Goirand (zigo)
>...
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the dar
On Tue, Oct 25, 2016 at 11:06:23AM -0700, Russ Allbery wrote:
> Adrian Bunk writes:
>...
> So, I'm not quite sure how to put this, since I don't know how much work
> you've done professionally in computer security, and I don't want to
> belittle that.
Running outdated microcode is a bad idea, and noone is making
Debian-specific workarounds for all the other CPU errata.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a
ne for many users for quite some time now.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
.
An orphaned package maintained by QA where everyone can just upload
without delay is better maintained than a package with an inactive
maintainer.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain
FreeRADIUS is popular enough that people noticed before an RM: bug was
filed, and new maintainers were found immediately.
Other packages are not that popular.
If any packages needed on these Debian machines have been removed from
unstable, they are not on your list.
This is the reason why a ITP
nitely* going to do it for cloud images
Any "solution" for the reboot problem that assumes that there is a user
who regularly logs into the machine misses the problem.
> bye,
> pabs
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of
ad of the current practice where the maintainer can
just submit an "RM: dasher" and a few hours later the package is gone?
> We got plenty of packages orphaned for a decade that are in a good
> condition.
cu
Adrian
--
"Is there not promise
On Sun, Nov 06, 2016 at 12:03:03AM +0100, Philipp Kern wrote:
> On 2016-11-05 22:23, Adrian Bunk wrote:
> > The solution you are trying to sell is apt-transport-https as default.
> [...]
> > Your solution would be a lot of work with relatively little improvement.
>
> Well
the current stretch release schedule
are just resulting in a lot of people wasting a lot of time.
> Thanks,
> ~Niels
>...
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
ve another way out?
Yes, patching the OpenSSL 1.1 features that are really needed into the
Debian OpenSSL 1.0.2 package.
For ChaCha20 that's existing patches that are already being used
elsewhere.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
On Tue, Nov 15, 2016 at 07:03:28PM +1100, Scott Leggett wrote:
> On 2016-11-15.00:16, Adrian Bunk wrote:
> > Bugs like "With Kurt's patch, apache2 crashes on startup with an invalid
> > free."
> > or #843988 will be a common sight on the list of RC bugs fo
e), and much screaming.
>
> An alternative to find problems with (un-)locking should be to compile
> the program in question with -fsanitize=thread (on amd64) and run it.
>
> Unfortunately, in current unstable with thread sanitizer one might get
> #796246 (at least I had this)
On Wed, Nov 16, 2016 at 12:15:39AM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-11-15 00:16:14 [+0200], Adrian Bunk wrote:
> > And since 80% of all OpenSSL-using packages in unstable are still
> > using libssl1.0.2 (binNMUs have not yet happened), all runtime
> > issue
ave to enter testing at the same time.
#736687 is a non-issue for the transition itself, and the release team
can force a package into testing ignoring such a bug.
> Scott K
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Wed, Nov 16, 2016 at 10:53:18PM +0100, Sebastian Andrzej Siewior wrote:
> On 2016-11-16 19:49:44 [+0200], Adrian Bunk wrote:
> > The problem are not specific bugs, the problem is the whole size of the
> > problem:
> >
> > 1. Sorting out what packages have to stay a
g build :-(
But we do already have > 1 year of widespread testing by users
running unstable/testing on machines with TSX enabled.
So for unstable/stretch this does not seem to be a huge problem.
These are normal bugs that should be found and fixed if possible,
just like passing a pointer in an int
On Thu, Nov 17, 2016 at 11:38:46AM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, Nov 17, 2016, at 09:50, Adrian Bunk wrote:
> > But we do already have > 1 year of widespread testing by users
> > running unstable/testing on machines with TSX enabled.
> >
> > So
On Thu, Nov 17, 2016 at 10:43:53PM +0100, Moritz Mühlenhoff wrote:
> Adrian Bunk schrieb:
> > On Tue, Nov 15, 2016 at 09:37:01AM -0300, Lisandro Damián Nicanor Pérez
> > Meyer wrote:
> >> On lunes, 14 de noviembre de 2016 16:51:04 ART Marco d'Itri wrote:
> >>
On Fri, Nov 18, 2016 at 10:22:59PM +0100, Moritz Mühlenhoff wrote:
> Adrian Bunk schrieb:
> > And/or get sponsorship from companies for supporting ChaCha20-patched
> > 1.0.2
>
> It's not a matter of whipping up some patch; anything less than an
> official backp
> allowed.
>
> That Depends seems wrong, there's no reason a -dbg package needs a
> dependency on anything, AFAICT.
A -dbg package only works with the exact version of the package it
provides the debug symbols for.
> Cheers,
> Julien
cu
Adrian
--
"Is there
undary
> (including the application).
If inspection is not easily possible, then adding a dependency on
libssl1.0-dev to qtbase5-private-dev should be sufficient to
ensure that this is not leaked to a different OpenSSL version.
cu
Adrian
--
"Is there not promise of rai
On Thu, Nov 24, 2016 at 03:20:06PM +0100, Jan Niehusmann wrote:
> On Thu, Nov 24, 2016 at 03:59:10PM +0200, Adrian Bunk wrote:
> > If inspection is not easily possible, then adding a dependency on
> > libssl1.0-dev to qtbase5-private-dev should be sufficient to
> > ensure th
ld
also set the incentive the wrong way.
If it is likely that some packages cannot be supported until the end of
the (non-LTS) lifetime of stretch in mid/end-2020, then please file RC
bugs to keep these packages out of stretch.
> Cheers,
cu
Adrian
--
"Is there not promise of
y of deciding" is that not shipping any web browser
would not be a realistic option.
For nearly any other package, not shipping it in a stable is the better
option for Debian.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of t
On Thu, Nov 24, 2016 at 02:50:23PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Nov 2016, Adrian Bunk wrote:
> > On Wed, Nov 23, 2016 at 11:50:12PM -0200, Henrique de Moraes Holschuh wrote:
> > > On Thu, 24 Nov 2016, Kurt Roeckx wrote:
> > >...
> > >
On Thu, Nov 24, 2016 at 07:08:33PM +0100, Daniel Pocock wrote:
>
>
> On 24/11/16 17:39, Adrian Bunk wrote:
> > On Thu, Nov 24, 2016 at 05:22:29PM +0100, Daniel Pocock wrote:
> >> ...
> >> For networked services, it is different.
> >>
> >> D
a package upload in 2016[1] and speak
Lithuanian might be zero.
> Christoph
cu
Adrian
[1] any package, as definition of "active developer"
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain fo
s still present?
It might take a user hours (or even days) to verify whether a problem is
still present.
It would be a very evil if a user would spend effort after such an
email, but the next he hears from the maintainer would be another
such request to try the then-latest version a year lat
On Mon, Dec 19, 2016 at 10:15:33PM +0100, Daniel Pocock wrote:
>
>
> On 19/12/16 21:57, Adrian Bunk wrote:
> > On Thu, Dec 15, 2016 at 11:11:27AM +0100, Daniel Pocock wrote:
> >>
> >> Is there any easy way to contact everybody who made a bug report against
> &
Adrian
[1] https://lintian.debian.org/tags/no-strong-digests-in-dsc.html
[2] there are several that are orphaned but the maintainer field
has not yet been updated to the Debian QA Group
[3] many of the maintainers of these packages will also be in my next
list of potentially MIA people to the
so globally enabled.
This is a very good suggestion.
When PIE works without problems on a port, a porter should request that
it gets enabled by default for that port in gcc.
When PIE does not work without problems on a port, nothing should
enable it on that port.
> Thanks,
> Guillem
for
ubuntu or raspbian in debian/rules, and adding something similar for
build dependencies would sound reasonable to me.
> Mike Stone
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many day
stretched developer resources.
> Thanks,
> Guillem
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
equires
from non-trivial packages.
> Scott K
>...
cu
Adrian
BTW: My pet rant about debian/copyright is that too much emphasis
is placed on the copyright years that are usually irrelevant,
since copyright expires no earlier than 50 years [3] after
the death of the author.[4][5]
On Tue, Jan 09, 2018 at 07:29:51PM -0500, Sam Hartman wrote:
> >>>>> "Adrian" == Adrian Bunk writes:
>
> Adrian> On Tue, Jan 09, 2018 at 01:23:32PM +0100, Guillem Jover wrote:
> >> ... Given the background of build-profiles, I'm very m
officially support rebuilding the
whole archive of a stable release with fewer libraries.
> Cheers,
> Emilio
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
ill start
a "remove Berkeley DB" discussion on this mailing list... ;-)
> Thanks,
> Lionel.
cu
Adrian
[1] it is not clear whether there will have to be one more
Debian release with Berkeley DB just for upgrades
--
"Is there not promise of rain?" Ling Tan asked sudde
On Sat, Jan 27, 2018 at 12:25:20PM +0100, Lionel Debroux wrote:
> Hi Adrian,
Hi Lionel,
> On 1/27/18 6:27 AM, Adrian Bunk wrote:
>...
> > There doesn't seem to be any disagreement on the general idea,
> > the only thing missing is a person doing the work on getting
>
I don't know what was used, perhaps something like
sudo apt-get install devscripts ubuntu-dev-tools
reverse-depends -l -s src:db5.3 | dd-list -i
> In order to sort libdb5.3's reverse dependencies by popularity,
>...
I'm not convinced that would bring much value,
someone w
...
This would only be sufficient for the easy cases where the data stored
is temporary or cached and can be thrown away.
> Best regards
>
> David Kalnischkies
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had bee
who are not following unstable the situation
is less rosy.
And if a normal user would notice immediately, what could he/she do?
Even an RFP to get a perfectly working package re-added just like it
was before the removal has close to zero chance of being acted on.
> Scott K
cu
Adrian
--
removed compared to when it was first shipped in a stable release.[1]
At that point the actual question is why we did allow the package
to be ITP'ed into Debian at all.
cu
Adrian
[1] from a user perspective
--
"Is there not promise of rain?" Ling Tan asked suddenly out
The chances of someone looking at this specific BTS page during the
short amount of time between it showing up there and the actual
removal are close to zero.
cu
Adrian
BTW: And then the next problem would be that the ftp team tends
to ignore non-maintainer objections in RM bugs and removes
de.js packages that are part of Debian.
> Mike Stone
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Fri, Feb 02, 2018 at 12:17:14PM -0500, Scott Kitterman wrote:
> On Friday, February 02, 2018 06:30:28 PM Adrian Bunk wrote:
> > On Wed, Jan 31, 2018 at 11:18:28PM -0500, Scott Kitterman wrote:
> > > On Thursday, February 01, 2018 11:56:21 AM Paul Wise wrote:
> > > &g
On Sat, Feb 03, 2018 at 05:57:26PM +, Colin Watson wrote:
> On Fri, Feb 02, 2018 at 06:44:36PM +0200, Adrian Bunk wrote:
> > On Fri, Feb 02, 2018 at 02:29:49AM +, Colin Watson wrote:
> > > It'd probably make sense to use
> > > https://www.debian.org/Bugs
On Sat, Feb 03, 2018 at 02:01:38AM -0500, Scott Kitterman wrote:
> On Saturday, February 03, 2018 08:20:02 AM Adrian Bunk wrote:
>...
> > Do you have any suggestion better than "ITP immediately followed by
> > orphaning" for packages I consider useful but don't
he lifetime of a stable
Debian release, it is better for our users when they are installing the
software from upstream with the security support provided by upstream.
> Michael
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked
Pi ecosystem would be the more
logical choice here.
> Samuel
cu
Adrian
[1] and the Debian derivative Raspbian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise,"
lear picture from the start when upgrades to new major versions
will have to be planned.
> Michael
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
On Sun, Feb 18, 2018 at 11:47:52PM +0100, Vincent Bernat wrote:
> ❦ 18 février 2018 23:53 +0200, Adrian Bunk :
>
> >> Who said we cannot properly maintain this stuff? And where do you
> >> think our expected level of quality (whatever that is) will not be
> >>
On Mon, Feb 19, 2018 at 09:18:13AM +0100, Philipp Kern wrote:
> On 2018-02-18 22:53, Adrian Bunk wrote:
> > In the year 2018, any kind of "properly maintain" includes security
> > support.
> >
> > Please elaborate how Debian can provide security support for p
oyed via unattended-upgrades to
millions of machines running Debian stable.
> Michael
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
re of an ecosystem, but it uses both uses Node.js
and Rails. How can you guarantee to provide "security by upstream
releases" for gitlab until mid-2022 if a new gitlab might require
more recent versions of many dependencies?
> Michael
cu
Adrian
--
"Is there not promise
kages without security support
in the default install would already be an improvement compared to
stretch...
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for man
ipping the software
in Debian.
And it's distribution-agnostic, meaning it can be provided once by
upstream for all distributions instead of duplicating work in every
Linux distribution.
> Michael
cu
Adrian
--
"Is there not promise of rain?"
On Mon, Feb 19, 2018 at 03:52:30PM -0500, Roberto C. Sánchez wrote:
> On Mon, Feb 19, 2018 at 10:16:56PM +0200, Adrian Bunk wrote:
> > On Mon, Feb 19, 2018 at 08:40:12PM +0100, Michael Meskes wrote:
> > >...
> > > > An example what "no security support"
specific.
You were talking about flatpak.
The whole point of flatpak is that the same app is equally integrated
in all Linux distributions.
> Michael
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain
e used with untrusted
content, such as unsanitized data from the Internet."
IMHO any package in Debian stable that uses a node* package on untrusted
content should get an RC bug and a CVE - it is clearly documented that
this should not be done.
> Regards,
> smcv
>...
601 - 700 of 1506 matches
Mail list logo
