[Pkg-openldap-devel] RE: LDAP/BDB log purging (fwd)

[Quanah Gibson-Mount]

--On Tuesday, March 06, 2007 3:01 PM -0800 Russ Allbery <rra at debian.org> 
wrote:

> Quanah Gibson-Mount <quanah at stanford.edu> writes:
>
>> Just to follow up on this point -- I understand the desire to move away
>> from BDB 4.2.  However, I feel that as long as it is being offered, I
>> would expect it to be maintained well at least as far as using what the
>> upstream provider says is necessary.  The patch in question has been out
>> for nearly 2 years (March 22, 2005), and was noted as a requirement for
>> use with OpenLDAP 2.3.  If there was a major security vulnerability
>> announced in the OpenLDAP 2.1 libraries, and a patch was provided by
>> upstream to handle it, I'd expect that would end up in Debian as long as
>> the 2.1 libraries are offered.  With a database, I'd expect fixes that
>> cause data corruption to be added to the package as long as it is made
>> available.  It may not be a security vulnerability, but it is a severe
>> problem that affects the users of the software, and I know they have
>> expectations as to how they believe the product is packaged and its
>> reliability.
>
> Yeah, well, I don't disagree with you, but I also don't have a stick to
> hit people with until they do my will.  :)  It's a volunteer project, and
> there's more work and more packages in Debian than there are maintainers
> with time to stay very closely involved with upstream.  I know it's
> frustrating.  It's just a constraint that we have to work with.  It's not
> malice, just being way too busy.  Y'know, the same reasons why lsdb is
> still running on Solaris and Oracle and using an ancient
> Stanford::Directory.  :)

I certainly understand.  I'm having a hard enough time right now getting 
the work done I'm paid to do. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html