On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote: > So, if a user installs said package, but fails to notice any EOL DSA > on it, the package gets left in place in a potentially VULNERABLE > state. I.E. if a known exploit comes out, and the package is still > installed, the end-user could get a nasty surprise thinking that > because they've added security support to apt-sources and regularly > update, that they are protected. This is a non-optimal and undesired > end-result.
The debian-security-support package somewhat addresses those concerns [0], but it is not currently installed by default. There was some discussion to make that happen, but hasn't been followed through. > Note that chromium is in 'main' -- not 'contrib' or ..., so there's a > valid expectation that its security support won't just silently stop > -- unlike the other FAQ entry that says there's basically no security > support or contrib, non-free.. I'm not sure where you get the "silently" concern from, but this topic is already discussed in wheezy's release notes [1]. The problem with that of course you'll point out is that users often don't read that... Best wishes, Mike [0] https://packages.qa.debian.org/d/debian-security-support.html [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/CANTw=MORX_fRMNiz5N0eVT_cXEp43a3JaD=17KO5zPAiGsP0=q...@mail.gmail.com
