On 07/31/2010 04:38 PM, Nico Golde wrote:
Package: ftp.debian.org
Severity: normal
Hi,
I hereby request the removal of lxr from the archive, it should not be
included in squeeze as well.
The version that our package is currently based on is 0.3 (from 2003), which
is light years behind upstream, has security bugs and not properly maintained.
See e.g. #588138 and #585411. Probably #575745 affects lxr as well, hard to tell
though, the code heavily differs since it's so old.
There has been no move from the maintainer towards packaging current upstream
versions and given the small number of popcon installations this doesn't have
an impact on many users.
No. please wait. I agree that there are problems but:
- I would not include it squeeze anyway
- let go before the security fixes in lxr, than we could see if we
could remove it.
BTW most of security bugs are only in lxr-cvs, which is an
"enhancement" of lxr with other upstreams.
One of the enhancement was to allow cross-referencing many languages,
thus doing indirect regex and other more complex tasks, inducing
such errors. LXR instead has hardcoded C decoding, and it seems with
many less errors.
For now I would remove lxr and lxr-cvs from squeeze, and
I'll ask upstream what are their plan, and probably I propose
to remove also lxr-cvs.
ciao
cate
PS: I would use some debconf time to improve the situation so
that users will not have security problem after we remove
the packages.
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
