Sylvain Beucler wrote... > I'm investigating an issue in 'debian-security-support' related to how it > includes/excludes packages by comparing the installed version and the > supported version, see: > https://bugs.debian.org/986581
Oy, you brought back a lot of old memories. Not necessarily good ones
but that's not your fault.
Also, I haven't checked the old mails I'd exchanged with the security
team when designing that code. But quite frankly, if a feature is
neither obvious nor documented, it's possibly not worth it.
> We could not find a valid use case for this feature, while it is causing
> some missing reports as with 'nodejs', as explained in the above BTS entry.
>
> Did we miss something?
Well, I cannot remember the idea behind the logic, so feel free to do
what you (as a group) consider appropriate.
From guessing, I'd say: The case of "Installed package has a version
number higher than the last supported one" - then the security status of
that package is mostly undefined. Possibly I had backports in mind here:
So if a backport is installed *and* that one has proper security
support, I consider it correct to stay silent about that situation; in
fact, alerting is even wrong because it creates unnecessary noise - that
will educate users to ignore such alerts. But it's indeed hard to tell
whether this situation applies (checking apt-cache policy, checking the
security tracker [please don't], yada yade).
The other feature, being able to end support in advance - well I'd call
that a nice hack and I'd certainly keep it. Although I'd agree it will
rarely be used.
Christoph
signature.asc
Description: PGP signature
