Bug#409703: sql-ledger in testing
Hi Raphael I have read up on your discussion with the stable sec team. At the moment, sql-ledger is in testing and from what I have heard it would be possible to package and upload LedgerSMB, which fixes the security issues. Therefore, I would like to remove sql-ledger from testing. For lenny, ledgersmb could be used then. Any objections? Cheers Steffen signature.asc Description: This is a digitally signed message part.
Bug#409703: sql-ledger in testing
Hi Steffen, On Sun, 21 Oct 2007, Steffen Joeris wrote: I have read up on your discussion with the stable sec team. At the moment, sql-ledger is in testing and from what I have heard it would be possible to package and upload LedgerSMB, which fixes the security issues. Therefore, I would like to remove sql-ledger from testing. For lenny, ledgersmb could be used then. Any objections? Yes. Until someone has done the job of packaging LedgerSmb I would like to keep sql-ledger. Please understand that we're speaking of a financial application that companies are using... (mine included). Also it won't be trivial to migrate from one to the other, so it's a fair bit of work to create the package and offer a sane upgrade path. We already documented the fact that sql-ledger is not safe to use in a untrusted environment. Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
Bug#409703: sql-ledger in testing
Hi Raphael On Sun, 21 Oct 2007 07:38:57 pm Raphael Hertzog wrote: Hi Steffen, On Sun, 21 Oct 2007, Steffen Joeris wrote: I have read up on your discussion with the stable sec team. At the moment, sql-ledger is in testing and from what I have heard it would be possible to package and upload LedgerSMB, which fixes the security issues. Therefore, I would like to remove sql-ledger from testing. For lenny, ledgersmb could be used then. Any objections? Yes. Until someone has done the job of packaging LedgerSmb I would like to keep sql-ledger. Please understand that we're speaking of a financial application that companies are using... (mine included). I totally understand that and I would also want to have other software packaged for debian and to be kept there, but unfortunately ... Also it won't be trivial to migrate from one to the other, so it's a fair bit of work to create the package and offer a sane upgrade path. We already documented the fact that sql-ledger is not safe to use in a untrusted environment. Well my point is that sql-ledger is in stable (and not security supported), which is the way it is. For lenny this should, IMHO, not happen again. I personally see it that way: ledgersmb is the one after sql-ledger and should be the new verison. For this, sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it the responsibility of the sql-ledger maintainer to care for ledgersmb as a lenny version. If that is not the case, then the removal of sql-ledger (withough any alternative) should be considered. Cheers Steffen P.S. Raphael please note that this is no personal criticism, you know that I am not up for such things. Just my two cents to the sql-ledger security debate. signature.asc Description: This is a digitally signed message part.
Bug#409703: sql-ledger in testing
Hi, On Sun, 21 Oct 2007, Steffen Joeris wrote: Also it won't be trivial to migrate from one to the other, so it's a fair bit of work to create the package and offer a sane upgrade path. We already documented the fact that sql-ledger is not safe to use in a untrusted environment. Well my point is that sql-ledger is in stable (and not security supported), which is the way it is. For lenny this should, IMHO, not happen again. I personally see it that way: I don't see the problem of having that package it it doesn't impose any work on the security team as it's documented to be non-supported. ledgersmb is the one after sql-ledger and should be the new verison. For this, sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it the responsibility of the sql-ledger maintainer to care for ledgersmb as a lenny version. If that is not the case, then the removal of sql-ledger (withough any alternative) should be considered. I agree that ledgersmb should replace sql-ledger in the long term but they are doing major changes to the infrastructure which makes it a quite unstable fork at the time being. As for the responsibility of the sql-ledger maintainer, well, in an ideal world yes ... but the fact is that the sql-ledger maintainers are a bunch of busy guys whose interest for accounting apps is purely required by the necessity of accounting in companies and not really by passion... So while I'd like to already have a working ledgersmb package with a conversion script from sql-ledger to ledgersmb, but this is not the case and I thus disagree with a forced removal of the package. Cheers, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/