On Thu, Nov 04, 2010 at 10:49:40AM +0100, Ludwig Nussel wrote:
Lars Müller wrote:
I'm never going to work on a security update for exim. All I'm willing to do is to keep the exim package in openSUSE on a current level. If there is a security issue I would address it with the new version.
Which is perfectly ok for a package where upstream already is careful to not break stuff. That doesn't work in general though.
Yes, that is exactly what I tried to express with my mail. Being more verbose my statement sounds like: It depends on the upstream project, the package complexity, how the software is used in SUSE (less or more prominent), is it part of the default install, where in the dependeny chain is it located (at ground like glibc/ bash or up at the attic like Samba). These are all factors we have to keep in mind. And that's something primarily the particular project maintainers have to decide on. Who secondarily? Those in charge of the maintenance process. This requires communication and explanations. Some of us are part of the openSUSE project since a year. Others are using it since 15 years. I'm stressing this to illustrate the different point of views or motivations.
With exim this is possible. It's not the default MTA of SUSE and therefore the risk to break 80% of installed and working systems is much lower.
The question is whether users of exim are aware that they rely on a "second-tier" package. OTOH there is no guarantee that packages that are in the default install are treated with more care either.
We might need an additional attribute on package level our users might rely on and libzypp (zypper + YaST) is able to handle. This would allow users to only install packages which are covered by the prefered individual quality policy. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany