Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

[Resending because I got some bounces] On 2019, ഓഗസ്റ്റ് 29 7:50:00 PM IST, Dan Clery wrote: >Isn't this the sort of problem that things like flatpack or snap were >created for? In those solutions either security updates have to handled by each flatpack or snap instead of sharing it (duplicatio

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

[Resending because I got some bounces] On 2019, ഓഗസ്റ്റ് 29 7:10:38 PM IST, Abhijith PA wrote: > >Hi, > >On 29/08/19 6:47 pm, Paul Gevers wrote: >> Hi >> >> On 29-08-2019 14:28, Raphael Hertzog wrote: >>> (Note: pkg-security@tracker.d.o is not a valid email, dropped) >>> >>> Hi, >>> >>> On Thu

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

Isn't this the sort of problem that things like flatpack or snap were created for? On Thu, Aug 29, 2019 at 9:57 AM Abhijith PA wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > > Hi, > > On 29/08/19 6:47 pm, Paul Gevers wrote: > > Hi > > > > On 29-08-2019 14:28, Raphael Hertzog wrot

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 29/08/19 6:47 pm, Paul Gevers wrote: > Hi > > On 29-08-2019 14:28, Raphael Hertzog wrote: >> (Note: pkg-security@tracker.d.o is not a valid email, dropped) >> >> Hi, >> >> On Thu, 29 Aug 2019, Holger Levsen wrote: In general, we (Deb

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

Hi On 29-08-2019 14:28, Raphael Hertzog wrote: > (Note: pkg-security@tracker.d.o is not a valid email, dropped) > > Hi, > > On Thu, 29 Aug 2019, Holger Levsen wrote: >>> In general, we (Debian) don't have a good answer to this problem and >>> virtualbox is clearly a bad precedent. We really need

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

(Note: pkg-security@tracker.d.o is not a valid email, dropped) Hi, On Thu, 29 Aug 2019, Holger Levsen wrote: > > In general, we (Debian) don't have a good answer to this problem and > > virtualbox is clearly a bad precedent. We really need to find a solution > > to this in concertation with the r

how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

hi, (this started as a discussion whether to update radare2 in (old)stable and has since then evolved into a discussion about the problem summarized well by Raphael.) On Thu, Aug 29, 2019 at 01:48:14PM +0200, Raphael Hertzog wrote: > On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote: > > The upstream

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

Hi, On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote: > The upstream link makes it sound as if they are one of those upstreams > which reject the idea of distributions shipping an older release to > a stable distro. For a tool like radare2 that seems fair enough, so > how about simply excluding it fro

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

Adding the radare2 uploaders to CC. On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. Should > >> we > >> + NOTE: continue the current