Re: Bulk packages and security updates

[Greg Troxel <gdt%lexort.com@localhost>]

John Klos <john%klos.com@localhost> writes:

>>> I only remove packages for security issues when new, updated ones have
>>> been made and uploaded.
>>
>> I don't think we should do that, unless we remove all packages for which
>> there is an updated version, for any kind of bugfix.  Basically if we
>> are trying to deny code to someone because of a security concern, I
>> think we're doing it wrong.
>
> I don't understand. What does "trying to deny code" mean here? Are you
> saying that after sudo got updated from 1.9.16p2nb2 to 1.9.17p1, the
> sudo-1.9.16p2nb2 binary packages should be kept along with 2025Q2
> packages?
>
> And yes, I think we should remove all packages for which there is an
> updated version. When updates like php8{1,2,3,4}, is there a reason to
> keep the old ones?
>
> I always thought that if a change is important enough to have a
> pullup, it's important enough to have the new version in the current
> quarter's collection.

I agree (and I think everybody does) that if there is a pullup, that the
new package should be built, assuming someone(tm) does the work and has
the cpu/etc. time.

What I am objecting to is trying to remove packages from our ftp space
*because* they have vulnerabilities.  That's what I sensed you wanted to
do.

If the practice of doing a new pbulk run, and removing packages when
there is a superceding package (same name, higher version), and that
removal is done for any reason, ranging from spelling fix to security,
that sems ok.

My point was that if there is even the slightest element of "this is
vulnerable; I don't want people to have access to it", or special
treatment for removals for security, that's not ok.