Hello, on Freitag, 27. Mai 2011, Marcus Meissner wrote:
On Fri, May 27, 2011 at 11:31:15PM +0200, Dimstar / Dominique Leuenberger wrote:
Before we get any release EOL, we publish a last / final 'security' update for aaa_base with a 'license' text, that is actually an announcement of EOL of any given release.
We did this previously (some releases ago), but the message display code is no longer there.
We have post-update messages still, but... ... PackageKit and its updaters I think do not show them, so they are quite useless.
Did someone say that you should use post-update messages? ;-) PackageKit can display license texts - so IMHO the way to go is to provide an update for aaa_base with an EOL message as license. (I know that a EOL warning is, strictly speaking, not a license - but hey, we are searching for working solutions, not for 100% name compliance ;-)
Btw, the 11.2 update repo is still there,
The 11.1 repos are also still there, but the update repo come with a little problem. (This problem probably also exists for 11.2.) The update repos contain an expiration date to avoid that someone who uses a mirror directly (without download.o.o) doesn't notice if this mirror doesn't update the repo anymore (which could even be used by attackers to keep security holes open). The expiration date is a good idea to prevent "outdated mirror attacks", and I don't want to miss it. The problem is that this expiration date is no longer updated for 11.1 - which is somehow understandable, but also annoying when using evergreen. My daily update notificaton [1] sends me a warning every day that the 11.1 update repo is outdated :-/ And I don't want to remove the 11.1 update repo - otherwise when installing a new package, I could get a non-patched package that got an "official" security update, but not an evergreen update. The question is: how can we solve this? The easiest way is to regularly update the expiration date in the 11.1 update repo metadata. Just re-enable the script that did this while 11.1 was supported ;-) A more complex way (probably only for future releases) would be to have something in the evergreen repo metadata that can supress the "outdated repo" warning for the $version update repo. An alternative (and more secure) way would be a zypper config option that can selectively supress error messages ("supress 'outdated repo' warning for the 12.1-update repo"). Oh, there's a third way: allow evergreen to publish the updates in the official 11.1 update repos. And: Yes, I'm aware that some of my ideas might not be what the security team likes ;-) Regards, Christian Boltz [1] you probably know patch2mail ;-) BTW: the current version in home:cboltz also lists package updates by default to follow the update notification behaviour in 11.4. I did not update the factory package yet. -- Lies halt mal dclp.*, da faellt dir nix mehr ein. Wenn man ein Guerteltier ueber die Tastatur abrollt, kommt besserer PHP Code raus als da gepostet wird. [R. Huebenthal in darw] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org