pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: HEADS UP: security/audit-packages removal

Jeremy C. Reed wrote:
On Fri, 11 Jan 2008, Adrian Portelli wrote:

Ok, I'll remove security/audit-packages on Sunday and bump PKGTOOLS_REQD.

And add a note to the vulnerabilities database about it?

No. There will be no note initially as it will be supported at least until 2008Q1 is cut. When we stop updating it or a little before we will add an entry telling users it's being killed and point them to installing a newer pkg_install.

I don't understand the PKGTOOLS_REQD bump at this time.

Even if you remove security/audit-packages, I don't see how that will cause problems for the near future (as long as we provide the vulnerabilities database compatible with it).

If someone wants to install audit-packages, they can choose to install pkg_install. And if they already have audit-packages why are they required to update pkg_install?

Well for a start the newer pkg_install conflicts with audit-packages as they both install audit-packages files. So it's not actually possible to have a newer pkg_install and audit-packages package on a system at the same time.

Why is bumping PKGTOOLS_REQD required? Maybe that should not be bumped until the old vulnerabilities database is no longer updated.

The concern voiced was that we are taking something away (i.e. security/audit-packages) so we should clearly define an easy upgrade path. By bumping PKGTOOLS_REQD users can upgrade[1] and get the same level of functionality they did when they had security/audit-packages installed. As an added bonus it makes it easier for pkgsrc users to use it as they will have all the tools they need when pkg_install is updated.


[1] Technically this will require a 'pkg_delete audit-packages' first

Home | Main Index | Thread Index | Old Index