On Mon, Dec 06, 2010 at 01:55:26PM -0800, Jeff Sheltren wrote:
On Mon, Dec 6, 2010 at 12:57 PM, Stephen John Smoogen smooge@gmail.com wrote:
On Mon, Dec 6, 2010 at 13:38, Jeff Sheltren jeff@osuosl.org wrote:
On Tue, Nov 30, 2010 at 12:53 PM, Stephen John Smoogen smooge@gmail.com wrote:
I plan to EOL mediawiki for the EPEL releases for EL-4,5,6 due to packaging newer ones using mediawiki114,mediawiki115, mediawiki116.
As far as I can see, 1.14 is not supported upstream. How do you propose handling security issues with that version? How will you handle the transition from 1.15 when that loses upstream support?
I do not plan to handle security issues.
Are other people worried about EPEL shipping/maintaining packages with known security issues? Even with a big "DON'T USE THIS PACKAGE" in the package description and/or README file, I'm sure that there will be those that install it. This doesn't seem like a very responsible thing for us to do in general.
-Jeff
I would call it more realistic than irresponsible. We can't make someone remove a package from their system, and we by and large don't have the resources to backport security fixes into something as complicated as Wikipedia.
I guess the argument is Obsoleting wikipedia and wikipedia114? So would automatically breaking a user's installation be preferrable to leaving them open to attack? Does EPEL advertise that it provides completely secure packages or 'best-effort' only and it's up to individual administrators to keep their eyes on such things?
I think the latter is the only realistic approach "in general". And even in this specific case, I'd rather not see my (internal) Mediawiki 1.14 install broken automatically by an upgrade to 1.15.
Too bad there's not some slick way to automatically notify users via email. Opt-in of course, and accessible via pkgname-epel-users@fp.o or something. :)
Jeff does bring up a good point though -- I imagine there are other packages that would fall under this umbrella (gallery2?).
Just my $0.02.
Ray