On 2016-11-10 09:45, Paul Wise wrote:
> My intuition says that there are users who don't have apt-listchanges
> installed or don't read the NEWS files. The most likely place folks
> will see the notification is in the UI of the malware package itself.
This is true. OTOH, if the WOT UI is gone, use
On Wed, 2016-11-09 at 16:17 +0100, W. Martin Borgert wrote:
> Would NEWS.Debian be sufficient?
My intuition says that there are users who don't have apt-listchanges
installed or don't read the NEWS files. The most likely place folks
will see the notification is in the UI of the malware package it
On 2016-11-09 18:44, Holger Levsen wrote:
On Wed, Nov 09, 2016 at 07:14:45PM +0100, W. Martin Borgert wrote:
If users of testing or unstable have the malware installed now and
the package gets removed from the archive, users are left with the
malware, right?
yes
That's why I thought about up
W. Martin Borgert:
> On 2016-11-09 19:34, Ximin Luo wrote:
>> Context for the new list you added, please?
>
> #842939
>
> Is it OK, if I do the upload? I'm in the team, but David Prévot
> did previous uploads.
>
Yes, go ahead and do the upload, it's what team maintenance is for :) You can
`dch
On 2016-11-09 19:34, Ximin Luo wrote:
> Context for the new list you added, please?
#842939
Is it OK, if I do the upload? I'm in the team, but David Prévot
did previous uploads.
Cheers
Holger Levsen:
> On Wed, Nov 09, 2016 at 04:17:58PM +0100, W. Martin Borgert wrote:
>> Would NEWS.Debian be sufficient?
>
> I think so. And I also think this should be done.
>
> and, who's gonna file the RM bug for unstable?
>
Context for the new list you added, please?
--
GPG: ed25519/56034
Quoting Holger Levsen :
i'm not sure about the releasing with stretch part. Maybe it would be
better to have the updated, empty package in stretch in 5plusX days and
then remove it before the release, say on January 1st.
Ah, OK. Understood. Well, maybe As Short As Possible before the release,
d
On Wed, Nov 09, 2016 at 07:14:45PM +0100, W. Martin Borgert wrote:
> If users of testing or unstable have the malware installed now and
> the package gets removed from the archive, users are left with the
> malware, right?
yes
> That's why I thought about uploading an empty package to unstable,
Quoting Holger Levsen :
On Wed, Nov 09, 2016 at 05:35:20PM +0100, W. Martin Borgert wrote:
Quoting Holger Levsen :
>I think so. And I also think this should be done.
>and, who's gonna file the RM bug for unstable?
I would RM for buster, because users of stretch might already be affected.
thats
On Wed, Nov 09, 2016 at 05:35:20PM +0100, W. Martin Borgert wrote:
> Quoting Holger Levsen :
> >I think so. And I also think this should be done.
> >and, who's gonna file the RM bug for unstable?
> I would RM for buster, because users of stretch might already be affected.
thats not how it works. Y
Quoting Holger Levsen :
I think so. And I also think this should be done.
and, who's gonna file the RM bug for unstable?
I would RM for buster, because users of stretch might already be affected.
On Wed, Nov 09, 2016 at 04:17:58PM +0100, W. Martin Borgert wrote:
> Would NEWS.Debian be sufficient?
I think so. And I also think this should be done.
and, who's gonna file the RM bug for unstable?
--
cheers,
Holger
signature.asc
Description: Digital signature
On 11/09/16 15:59, Paul Wise wrote:
> On Wed, Nov 9, 2016 at 10:54 PM, W. Martin Borgert wrote:
>
>> What do you think?
>
> A new empty package would be better than just removing it but the user
> would not get any notification about why the functionality is gone nor
> any information about the p
Quoting Paul Wise :
A new empty package would be better than just removing it but the user
would not get any notification about why the functionality is gone nor
any information about the privacy violations they were subject to.
Would NEWS.Debian be sufficient?
On Wed, Nov 9, 2016 at 10:54 PM, W. Martin Borgert wrote:
> What do you think?
A new empty package would be better than just removing it but the user
would not get any notification about why the functionality is gone nor
any information about the privacy violations they were subject to.
--
bye,
Hi,
because of the WOT[*] incident, I wonder how Debian should handle
malware packages in favour of our users.
The current scheme is to remove the offending package from stable and
go along. With unattended-upgrades or other automatic upgrade schemes,
such packages would remain on many systems a
16 matches
Mail list logo
