[Pkg-openldap-devel] RE: LDAP/BDB log purging (fwd)

Russ Allbery rra at debian.org
Wed Mar 7 00:01:05 UTC 2007


Quanah Gibson-Mount <quanah at stanford.edu> writes:

> Just to follow up on this point -- I understand the desire to move away
> from BDB 4.2.  However, I feel that as long as it is being offered, I
> would expect it to be maintained well at least as far as using what the
> upstream provider says is necessary.  The patch in question has been out
> for nearly 2 years (March 22, 2005), and was noted as a requirement for
> use with OpenLDAP 2.3.  If there was a major security vulnerability
> announced in the OpenLDAP 2.1 libraries, and a patch was provided by
> upstream to handle it, I'd expect that would end up in Debian as long as
> the 2.1 libraries are offered.  With a database, I'd expect fixes that
> cause data corruption to be added to the package as long as it is made
> available.  It may not be a security vulnerability, but it is a severe
> problem that affects the users of the software, and I know they have
> expectations as to how they believe the product is packaged and its
> reliability.

Yeah, well, I don't disagree with you, but I also don't have a stick to
hit people with until they do my will.  :)  It's a volunteer project, and
there's more work and more packages in Debian than there are maintainers
with time to stay very closely involved with upstream.  I know it's
frustrating.  It's just a constraint that we have to work with.  It's not
malice, just being way too busy.  Y'know, the same reasons why lsdb is
still running on Solaris and Oracle and using an ancient
Stanford::Directory.  :)

Anyway, in this particular case, it seems like the first thing that needs
to happen is for this bug to get upgraded to grave (since it causes data
loss), which is a crappy thing to do to a maintainer at this point in the
release cycle.  But I guess that's how it broke.

I can try to write up a message to the bug so that the maintainers know
why it's suddenly going from wishlist to grave, unless someone else wants
to grab it before I do.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-openldap-devel mailing list