Re: squirrelmail package in lenny
Hi Benjamin, On Sun, February 21, 2010 17:19, Benjamin Vetter wrote: > I'm wondering why the squirrelmail package has a php4 -or- php5 > dependency http://packages.debian.org/en/lenny/squirrelmail > I updated from etch to lenny long time ago, but I still had etch's php4 > installed through this optional dependency, because lenny does not have > any php4 packages (only php5). > > Furthermore, there is no security support for etch anymore, so it would > result in using a rather old php4 package without security support? As you sent this message to both the debian-security ML and secur...@debian.org, I'll now repeat my response to your mail to the security team below, so the participants in this mailinglist can also enjoy its content. "" I do not agree that this is a security issue. What the SquirrelMail package claims is correct, namely that it supports running on both PHP4 or PHP5. Debian normally does support, where possible, running a 'mixed system' or 'partial upgrade', where you would e.g. run Etch but did already upgrade SquirrelMail to a newer version. That you are still using obsoleted packages not supported by Debian is something that is the responsibility of the package manager to inform you about, or, better, for the administrator to inform himself about using tools like the package manager. E.g. aptitude does display obsolete packages being in use. The question of whether packaging tools should be more explicit about users having packages installed after upgrade which are not present in the newer release anymore, is an older one, but may have some merit. However, this is ultimately a choice of the administrator and the package manager can never know whether this is a deliberate choice by the admin. E.g., installing packages by hand through 'dpkg -i' is a valid use case on a Debian system.--- If you think that the package manager should be more explicit in this, then I'm sure your help in improving APT on this point is much appreciated by the APT team. However, this is not a bug in squirrelmail. "" And for the record, the php4 dependencies have been removed in post-Lenny versions of the squirrelmail package. because Lenny doesn't have php4 anymore. kind regards, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/b8a6ce06f639d552f072e0dee294d6d3.squir...@wm.kinkhorst.nl
Re: squirrelmail package in lenny
On Sun, 21 Feb 2010 at 23:20, Benjamin Vetter wrote: > the squirrelmail package allows you to use the old etch php4 package, though > there is no php4 within lenny. $ apt-cache dump | grep -B2 '^ File.*/status' Package: php4-common Version: 6:4.4.4-8+etch6 File: /var/lib/dpkg/status ...lists all packages only referenced in the "status" file, but are not listed in the Packages files of your repositories. > therefore, the php package won't get updated, ever. Well, it's one thing to keep PHP4 around and squirrelmail (and probably) others wil happily continue to work, but yes - it doesn't make sense to me when the squirrelmail package page lists: depends on ... or php4 - Package not available. Maybe you could open a bug to remove this obsolete dependency? Christian. -- BOFH excuse #234: Someone is broadcasting pygmy packets and the router doesn't know how to deal with them. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.01.1002211521090.28...@bogon.housecafe.de
Re: squirrelmail package in lenny
imho, deborphan only tells you which packages are not used by other packages on your system. but in the case i told, the etch php4 package is used (by squirrelmail) under lenny (when you upgrade from etch to lenny). Therefore deborphan does not show it. the squirrelmail package allows you to use the old etch php4 package, though there is no php4 within lenny. therefore, the php package won't get updated, ever. right? Rolf Kutz wrote: On 21/02/10 16:19 +, Benjamin Vetter wrote: Furthermore, there is no security support for etch anymore, so it would result in using a rather old php4 package without security support? It's recommended to check your system with deborphan after upgrading to a new release. regards Rolf -- Benjamin Vetter IT Department plainpicture GmbH & Co. KG Eimsbütteler Chausse 23 20259 Hamburg ++49 40 80 81 288 46 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b81bfb1.60...@plainpicture.de
Re: squirrelmail package in lenny
On 21/02/10 16:19 +, Benjamin Vetter wrote: Furthermore, there is no security support for etch anymore, so it would result in using a rather old php4 package without security support? It's recommended to check your system with deborphan after upgrading to a new release. regards Rolf -- ... Expediency asks the question, 'Is it politic?' ... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100221160527.gn11...@vzsze.de
squirrelmail package in lenny
Hi I'm wondering why the squirrelmail package has a php4 -or- php5 dependency http://packages.debian.org/en/lenny/squirrelmail I updated from etch to lenny long time ago, but I still had etch's php4 installed through this optional dependency, because lenny does not have any php4 packages (only php5). Furthermore, there is no security support for etch anymore, so it would result in using a rather old php4 package without security support? Best regards Benjamin -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b815d12.6000...@plainpicture.de