Glassfish security support (in Squeeze)

Raphael Hertzog hertzog at debian.org
Thu Sep 25 13:24:53 UTC 2014


On Thu, 25 Sep 2014, Christoph Biedl wrote:
> Raphael Hertzog wrote...
> 
> > For Squeeze LTS, we can't really remove a single binary package with an
> > update since the update leaves in its own squeeze-lts repository and this
> > would not remove the package in the main "squeeze" repo.
> 
> To me, this sounds like a solution for the problem (I did not repeat
> the dependency check, though). So where's the problem? Those who did
> not configure squeeze-lts in sources.list are on unsupported grounds
> anyway.

How so? Imagine someone with glassfish-appserver installed. He has no
other binary packages from glassfish. We push an update in squeeze-lts
that drops glassfish-appserver. For APT, the latest version of the package
is the one in squeeze and the user doesn't see any update.

So the only solution would be to provide an empty binary package saying
that the package is no longer supported but that would break his
installation and he would be forced to downgrade to keep it running
despite the known security problems.

None of those solutions look satisfying.

> > Christoph, is it
> > possible to mark only a single binary package as unsupported?
> 
> Unfortunately no but I consider this a sound feature request.
> Especially if you decide to go this way, I'll put some priority onto
> it. Let me know in due course.

I think we would like to pursue this path, yes. Would you like a wishlist
bug report for this?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



More information about the pkg-java-maintainers mailing list