From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OlP48-0000eO-O4 for garchives@archives.gentoo.org; Tue, 17 Aug 2010 16:31:08 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 32A1BE0833; Tue, 17 Aug 2010 16:31:06 +0000 (UTC) Received: from mail.a3li.li (stingray.a3li.li [78.46.109.74]) by pigeon.gentoo.org (Postfix) with ESMTP id ABDB1E0B1B for ; Tue, 17 Aug 2010 16:30:53 +0000 (UTC) Received: from localhost (stingray.a3li.info [127.0.0.1]) by mail.a3li.li (Postfix) with ESMTP id 074AD1231DF2 for ; Tue, 17 Aug 2010 18:30:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at a3li.li Received: from mail.a3li.li (p50819F7A.dip0.t-ipconnect.de [80.129.159.122]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by mail.a3li.li (Postfix) with ESMTPSA id D7AB01231DEB for ; Tue, 17 Aug 2010 18:30:41 +0200 (CEST) Date: Tue, 17 Aug 2010 18:30:20 +0200 From: Alex Legler To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild Message-ID: <20100817183020.0ab2d429@mail.a3li.li> In-Reply-To: <1282047102.28395.398.camel@tablet> References: <20100816180452.5D7632CE15@corvid.gentoo.org> <1282027570.28395.92.camel@tablet> <20100817112713.58a60107@mail.a3li.li> <1282047102.28395.398.camel@tablet> X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/AufBu8W+7blUkZJP=4GYXXf"; protocol="application/pgp-signature" X-Archives-Salt: 9c8157c4-8a84-4352-bda3-4ce923a13e4c X-Archives-Hash: 56aef8c680fa77e9f70dc4512d3622dd --Sig_/AufBu8W+7blUkZJP=4GYXXf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 17 Aug 2010 16:11:42 +0400, Peter Volkov wrote: > =D0=92 =D0=92=D1=82=D1=80, 17/08/2010 =D0=B2 11:27 +0200, Alex Legler =D0= =BF=D0=B8=D1=88=D0=B5=D1=82: > > but as for removing the old versions, that's something we usually > > ask people to do after bumping packages with security issues to > > minimize the risk of people installing possibly vulnerable versions. >=20 > I agree with removal but not immediately. Personally I already had > issues with another web application: it worked in my installation, but > people were unable to use it after security fix. In that case: Reopen the bug and inform us. Besides, you should only get issues when dealing with ~arch ebuilds as they're not tested. But that's what you get for using testing. *shrug* > Since having > vulnerable but working installation is better then "fixed" but > broken, No offense, but that's just naive. > I'd rather always kept old versions for some time.=20 Use a local overlay then. > Also it's > not a big problem to have old versions in the tree since you have to > specify version number explicitly to install them... >=20 You obviously haven't been in our support venues and seen what some people are able to do... --=20 Alex Legler | Gentoo Security / Ruby a3li@gentoo.org | a3li@jabber.ccc.de --Sig_/AufBu8W+7blUkZJP=4GYXXf Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAkxquScACgkQk+oqhfPAZGm4JgCdEDe6o7rNVCM0SsHo38k40FWB o+QAoJPAttX0VMZdJFD12Zfxjoa519t5 =Uf63 -----END PGP SIGNATURE----- --Sig_/AufBu8W+7blUkZJP=4GYXXf--