Re: actively notifying users of removed packages
Karl Chen wrote: Good points, I also discovered Synaptic works well for manually looking for removed packages. Notifying PTS subscribers by email also sounds very useful. Still, I worry about the people who don't know to check for removed packages - and aren't watching the packages that happened to be removed. Well, people should probably just read the documentation that is provided for them: http://www.debian.org/releases/stable/i386/release-notes/ch-upgrading.en.html#s-obsolete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: actively notifying users of removed packages
Quoting Frans Pop ([EMAIL PROTECTED]): Or use the aptitude frontend for package management which will show such packages under the header Obsolete and Locally Created Packages. Thanks for reminding this very obvious feature which helped me removing about 20 obsolete packages from my laptop.:-) I support the idea of something in cron-apt, which popped elsewhere in the thread. For people worried about security problems in obsolete packages, I can also recommend the use of the debsecan package which optionnaly mails the local admin about packages with known security issuesand explicitely mentioning those which are obsolete. signature.asc Description: Digital signature
actively notifying users of removed packages
Hi, I would like to bring up the issue of removed packages. I think it is problematic that sometimes packages get removed, with no automatic transition [a transitional package, or another package depending on a replacement package or conflicting with the old one], and no active notification to the user. My primary concern is security. I recently discovered many packages that have been removed from Debian, that I had still been using with no idea that they were removed. The worst part is, some of these packages were removed due to outstanding security bugs! For example, bitchx and dhcp-client. It's clear to me that a silent removal is problematic since the result is existing users keep that buggy version forever. An example of a package with a logical replacement is beep-media-player. I've been using this program without realizing that audacious has superceded it. I would have been nice, though not necessarily security-critical, to know about beep-media-player's removal. Some of the ones I've noticed are a single binary package removed where the source package still exists, e.g. hal-device-manager (which is somewhat superceded by gnome-device-manager). With ntp-simple, I don't know how, but I had both ntp and ntp-simple (version 1:4.2.2.p4+dfsg-2) installed, where ntp presumably was supposed to get rid of ntp-simple. Apparently a transitional package existed and was subsequently removed, so it fell through the cracks. [How to find out why a particular package no longer exists wasn't obvious either. A general search via Google or newsgroups usually doesn't yield anything useful; the way I've figured out how to do it is (1) look up the package in packages.qa.debian.org, (2) find a removed from unstable message, and (3) look up the associated bug report at bugs.debian.org.] Solutions?: Since in many of these situations there may be more than one replacement or no replacement, it makes sense that there's no automatic action via a dist-upgrade. One idea is to have a system where the user is notified when installed packages no longer exist in the apt repositories, with an explanation and suggested followups [e.g. install one of X,Y,Z, or just remove the package]. The default explanation could be just a link to the BTS page, so no extra required work for maintainers. How? Since users may have installed .deb files manually or removed lines from /etc/apt/sources.list, the existence of a package without an apt source isn't necessarily a problem. However, an active removal via an ftp.debian.org bug, or a source package no longer building a binary package, is more significant. I suggest in these cases that when the user runs apt-get upgrade, he is notified of removed packages (the first time this is noticed). This might be implemented in a separate tool hooked in similar to apt-listchanges, or integrated into apt-get and/or various frontends; the information might be part of Packages.gz or a separate file similar to ftp-master.debian.org/removals.txt. (I noticed that removals.txt only has a few months of data. The mechanism for this idea should allow for people who only run apt-get once every couple months.) Thoughts? What have I missed? Existing solutions or non-problem? How can we move towards implementing something like this? What other ideas are there for dealing with disappearing packages? Thanks, Karl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: actively notifying users of removed packages
Hi Karl, * Karl Chen [EMAIL PROTECTED] [2008-03-11 13:51]: I would like to bring up the issue of removed packages. I think it is problematic that sometimes packages get removed, with no automatic transition [a transitional package, or another package depending on a replacement package or conflicting with the old one], and no active notification to the user. My primary concern is security. I recently discovered many packages that have been removed from Debian, that I had still been using with no idea that they were removed. The worst part is, some of these packages were removed due to outstanding security bugs! For example, bitchx and dhcp-client. It's clear to me that a silent removal is problematic since the result is existing users keep that buggy version forever. [...] If you are using testing please consider subscribing to secure-testing-annouce[0] to get informed about such package removals. [0] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-announce Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgps9Qz09anEK.pgp Description: PGP signature
Re: actively notifying users of removed packages
On Tue, Mar 11, 2008 at 03:59:13PM +0100, Frans Pop wrote:
[...]
I'd suggest to file wishlist bugreports against any package
management frontend (not including apt) that does not in some way
mark packages that are no longer available in the archive (or
rather, in the sources defined in the sources list).
[...]
On the surface, this also sounds like a good idea for a wishlist bug
(commented default config example or whatever) against cron-apt.
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP([EMAIL PROTECTED]); IRC([EMAIL PROTECTED]); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER([EMAIL PROTECTED]);
MUD([EMAIL PROTECTED]:6669); WWW(http://fungi.yuggoth.org/); }
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: actively notifying users of removed packages
On Tue, 11 Mar 2008 05:23:45 -0700, Karl Chen wrote: Thoughts? What have I missed? Existing solutions or non-problem? Not a general solution probably but maybe interesting for you is the following RSS feed: http://ftp-master.debian.org/~joerg/removals/removals.rss Cheers, gregor -- .''`. http://info.comodo.priv.at/ | gpg key ID: 0x00F3CFE4 : :' : debian: the universal operating system - http://www.debian.org/ `. `' member of https://www.vibe.at/ | how to reply: http://got.to/quote/ `-NP: Van Morrison signature.asc Description: Digital signature
Re: actively notifying users of removed packages
Hi, Am Dienstag, den 11.03.2008, 05:23 -0700 schrieb Karl Chen: Thoughts? What have I missed? Existing solutions or non-problem? How can we move towards implementing something like this? What other ideas are there for dealing with disappearing packages? A solution that’s possible without big changes would be a package removal-notifier which contains a manual list of removed packages (which needs to be maintained by someone of course) and can tell the user about packages he has installed but that are on that list. Not very elegant, but it would work and probably quite easy to implement. Just a quick idea, Joachim -- Joachim nomeata Breitner Debian Developer [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: actively notifying users of removed packages
Joachim Breitner wrote: A solution that’s possible without big changes would be a package removal-notifier which contains a manual list of removed packages (which needs to be maintained by someone of course) and can tell the user about packages he has installed but that are on that list. Not very elegant, but it would work and probably quite easy to implement. I wrote a similar script a few days ago and blogged about it[1]. Besides the comments I received I still use it because of several reasons such as: I don't use aptitude, I have some packages which I'd like to be ignored, I don't like aptitude's output, and I don't have apt-show-versions installed :). [1]http://my.opera.com/atomo64/blog/2008/03/09/where-to-put-such-a-script Just a quick idea, Joachim Cheers, Raphael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: actively notifying users of removed packages
On 2008-03-11 06:52 PDT, Lucas Nussbaum writes:
Lucas If you are only interested in a few packages, you could
Lucas subscribe to them on the PTS. I recently worked on a
Lucas script to notify PTS subscribers ('summary' keyword)
Lucas when the package is orphaned or removed. (see
Lucas #464021)
On 2008-03-11 06:57 PDT, Andreas Bombe writes:
Andreas It's no active notification, but aptitude lists all
Andreas installed packages that aren't in any distribution
Andreas included in sources.list under Obsolete and Locally
Andreas Created Packages. Verifying that this doesn't
Andreas include any packages that I expect there (like
Andreas locally compiled kernel module packages) is my way of
Andreas checking for removed packages.
Good points, I also discovered Synaptic works well for manually
looking for removed packages. Notifying PTS subscribers by email
also sounds very useful. Still, I worry about the people who
don't know to check for removed packages - and aren't watching
the packages that happened to be removed.
Karl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: actively notifying users of removed packages
On Tue, Mar 11, 2008 at 04:19:42PM +0100, Luca Brivio [EMAIL PROTECTED] was heard to say: Alle 14:57, mar 11 marzo 2008, Andreas Bombe ha scritto: It's no active notification, but aptitude lists all installed packages that aren't in any distribution included in sources.list under Obsolete and Locally Created Packages. Verifying that this doesn't include any packages that I expect there (like locally compiled kernel module packages) is my way of checking for removed packages. aptitude should perhaps list packages that became (that is, are and weren't before) obsolete (= not being in any archive? removed?) every time actions are performed through its CLI? Seems like an efficient way... I wrote a patch to do this on the way to work this morning, and I think it should actually work now. Note, though, that it only works for obsolete packages in the new index: if you remove a source and update, packages made obsolete by that change aren't detected. Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
