On 10/31/06, Stephen Bennett <[EMAIL PROTECTED]> wrote:
Having a system that actually works is usually reckoned to be more important than patching minor security holes on architectures that aren't security-supported anyway. On systems that are almost never used in production or in externally visible roles, security bugs are much akin to simple enhancements to a package that already works, and fixing packages that don't work takes precedence.
Thanks for that. It's much appreciated. This leaves package maintainers in the situation that there are 'old'/'insecure'/<insert preferred adjective here> versions of packages that are hanging around only because arches have fallen behind. Package maintainers want to be able to remove these old versions, but currently cannot because of keywording-lag. At the moment, it looks like there are a few choices: 1) Leave the older versions in the tree, even though they are insecure and possibly/probably no longer supported by package maintainers. This keeps minority arches happy at the expense of the larger group of package maintainers. 2) Or, remove the older versions from the tree after a suitable waiting period (say, 3 months for arguments sake). This will keep package maintainers happy, and our users (less cruft in the tree to rsync and metadata-cache), but causes real trouble for minority arches. 3) ?? Best regards, Stu -- -- gentoo-dev@gentoo.org mailing list
