'Twas brillig, and Guillaume Rousse at 30/03/12 10:17 did gyre and gimble: > Using task-obsolete is fine: > - its purpose is crystal-clear > - if I don't want it, I don't install it > > Adding an obsolete tag in openjdk to remove sun jdk now, for security > concernes, whereas we had suffered a useless mess of at least four > available java environnement at once for years uselessly (excepted for > blindly applying jpackage project practices), doesn't seems quite similar.
Well think of it this way (assuming I have the facts vaguely straight): Forget about Cauldron and mga2 We're providing a known insecure version to mga1 users. We need to find a way to update mga1 somehow right? Or do we want to just abandon them? Assuming we do not want to abandon them, what do we do? I'd suggest shipping a new empty package that replaces it with a README.urpmi telling them to go to Sun directly is the most responsible thing for us to do. If they do not have a JRE installed, and they have packages that require one, then they should be prompted to install e.g. openjdk to satisfy package deps. That should work OK right? Otherwise we're basically washing our hands of our users' security. This isn't hand holding or taking away choice. It's about informing them and being a socially responsible distributor. I don't why this is even a problem point for discussion. Whatever is decided, the position on mga1 then just then flows through into mga2. Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/
