Hi Raphael On Sun, 21 Oct 2007 07:38:57 pm Raphael Hertzog wrote: > Hi Steffen, > > On Sun, 21 Oct 2007, Steffen Joeris wrote: > > I have read up on your discussion with the stable sec team. At the > > moment, sql-ledger is in testing and from what I have heard it would be > > possible to package and upload LedgerSMB, which fixes the security > > issues. Therefore, I would like to remove sql-ledger from testing. For > > lenny, ledgersmb could be used then. Any objections? > > Yes. Until someone has done the job of packaging LedgerSmb I would like to > keep sql-ledger. Please understand that we're speaking of a financial > application that companies are using... (mine included). I totally understand that and I would also want to have other software packaged for debian and to be kept there, but unfortunately ...
> Also it won't be trivial to migrate from one to the other, so it's a fair > bit of work to create the package and offer a sane upgrade path. > > We already documented the fact that sql-ledger is not safe to use in a > untrusted environment. Well my point is that sql-ledger is in stable (and not security supported), which is the way it is. For lenny this should, IMHO, not happen again. I personally see it that way: ledgersmb is the one after sql-ledger and should be the new verison. For this, sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it the responsibility of the sql-ledger maintainer to care for ledgersmb as a lenny version. If that is not the case, then the removal of sql-ledger (withough any alternative) should be considered. Cheers Steffen P.S. Raphael please note that this is no personal criticism, you know that I am not up for such things. Just my two cents to the sql-ledger security debate.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
