On Mon, Dec 06, 2010 at 01:55:26PM -0800, Jeff Sheltren wrote:
On Mon, Dec 6, 2010 at 12:57 PM, Stephen John Smoogen
> On Mon, Dec 6, 2010 at 13:38, Jeff Sheltren <jeff(a)osuosl.org> wrote:
>> On Tue, Nov 30, 2010 at 12:53 PM, Stephen John Smoogen <smooge(a)gmail.com>
>>> I plan to EOL mediawiki for the EPEL releases for EL-4,5,6 due to
>>> packaging newer ones using mediawiki114,mediawiki115, mediawiki116.
>> As far as I can see, 1.14 is not supported upstream. How do you
>> propose handling security issues with that version? How will you
>> handle the transition from 1.15 when that loses upstream support?
> I do not plan to handle security issues.
Are other people worried about EPEL shipping/maintaining packages with
known security issues? Even with a big "DON'T USE THIS PACKAGE" in
the package description and/or README file, I'm sure that there will
be those that install it. This doesn't seem like a very responsible
thing for us to do in general.
I would call it more realistic than irresponsible. We can't make
someone remove a package from their system, and we by and large don't
have the resources to backport security fixes into something as
complicated as Wikipedia.
I guess the argument is Obsoleting wikipedia and wikipedia114? So
would automatically breaking a user's installation be preferrable to
leaving them open to attack? Does EPEL advertise that it provides
completely secure packages or 'best-effort' only and it's up to
individual administrators to keep their eyes on such things?
I think the latter is the only realistic approach "in general". And
even in this specific case, I'd rather not see my (internal) Mediawiki
1.14 install broken automatically by an upgrade to 1.15.
Too bad there's not some slick way to automatically notify users via
email. Opt-in of course, and accessible via pkgname-epel-users(a)fp.o
or something. :)
Jeff does bring up a good point though -- I imagine there are other
packages that would fall under this umbrella (gallery2?).
Just my $0.02.