"J. Lewis Muir" <jlmuir%imca-cat.org@localhost> writes: > I didn't read the CVE, but I assumed that since Iain said it was given > a "high rating," it would affect a lot of people. Anyway, even if it > wouldn't affect many people, I would still think it should be addressed, > but as I said above, if upstream has a problem with making patch > releases that break ABI backward compatibility, that's a very difficult > situation, and I don't see a good way to deal with that, and I don't > think the responsibility should fall on pkgsrc developers. There's an important point here that your language is mischaracterizing. Pkgsrc the project imposes an expectation of people that work within it that they will not make changes that cause serious breakage. We do *not* have any imposed expecatations that anyone will do any particular work to achieve any goals. However, we have a history where this frequently happens. So pkgsrc does not have a responsibility to users to do updates, and in particular no individual has a responsibility to TNF of any user of pkgsrc to take any affirmative step. I see assertions of such responsibilty as contrary to Free Software norms and dangerous. pkgsrc is Free Software, without warranty. If a user of software wants to have their expecttations met in a guaranteed manner, they should hire someone to do that for them, and that's outside the scope of this list and the project.
Attachment:
signature.asc
Description: PGP signature