Hi Benjamin, On Sun, February 21, 2010 17:19, Benjamin Vetter wrote: > I'm wondering why the squirrelmail package has a php4 -or- php5 > dependency http://packages.debian.org/en/lenny/squirrelmail > I updated from etch to lenny long time ago, but I still had etch's php4 > installed through this optional dependency, because lenny does not have > any php4 packages (only php5). > > Furthermore, there is no security support for etch anymore, so it would > result in using a rather old php4 package without security support?
As you sent this message to both the debian-security ML and [email protected], I'll now repeat my response to your mail to the security team below, so the participants in this mailinglist can also enjoy its content. "" I do not agree that this is a security issue. What the SquirrelMail package claims is correct, namely that it supports running on both PHP4 or PHP5. Debian normally does support, where possible, running a 'mixed system' or 'partial upgrade', where you would e.g. run Etch but did already upgrade SquirrelMail to a newer version. That you are still using obsoleted packages not supported by Debian is something that is the responsibility of the package manager to inform you about, or, better, for the administrator to inform himself about using tools like the package manager. E.g. aptitude does display obsolete packages being in use. The question of whether packaging tools should be more explicit about users having packages installed after upgrade which are not present in the newer release anymore, is an older one, but may have some merit. However, this is ultimately a choice of the administrator and the package manager can never know whether this is a deliberate choice by the admin. E.g., installing packages by hand through 'dpkg -i' is a valid use case on a Debian system.--- If you think that the package manager should be more explicit in this, then I'm sure your help in improving APT on this point is much appreciated by the APT team. However, this is not a bug in squirrelmail. "" And for the record, the php4 dependencies have been removed in post-Lenny versions of the squirrelmail package. because Lenny doesn't have php4 anymore. kind regards, Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
