On Tue, 17 Aug 2010 16:11:42 +0400, Peter Volkov wrote: > В Втр, 17/08/2010 в 11:27 +0200, Alex Legler пишет: > > but as for removing the old versions, that's something we usually > > ask people to do after bumping packages with security issues to > > minimize the risk of people installing possibly vulnerable versions. > > I agree with removal but not immediately. Personally I already had > issues with another web application: it worked in my installation, but > people were unable to use it after security fix. In that case: Reopen the bug and inform us. Besides, you should only get issues when dealing with ~arch ebuilds as they're not tested. But that's what you get for using testing. *shrug* > Since having > vulnerable but working installation is better then "fixed" but > broken, No offense, but that's just naive. > I'd rather always kept old versions for some time. Use a local overlay then. > Also it's > not a big problem to have old versions in the tree since you have to > specify version number explicitly to install them... > You obviously haven't been in our support venues and seen what some people are able to do... -- Alex Legler | Gentoo Security / Ruby a3li@gentoo.org | a3li@jabber.ccc.de