[Secure-testing-team] sql-ledger in testing

Raphael Hertzog hertzog at debian.org
Sun Oct 21 16:00:14 UTC 2007


Hi,

On Sun, 21 Oct 2007, Steffen Joeris wrote:
> > Also it won't be trivial to migrate from one to the other, so it's a fair
> > bit of work to create the package and offer a sane upgrade path.
> >
> > We already documented the fact that sql-ledger is not safe to use in a
> > untrusted environment.
> Well my point is that sql-ledger is in stable (and not security supported), 
> which is the way it is. For lenny this should, IMHO, not happen again. I 
> personally see it that way:

I don't see the problem of having that package it it doesn't impose any
work on the security team as it's documented to be non-supported.

> ledgersmb is the one after sql-ledger and should be the new verison. For this, 
> sql-ledger can be dropped in favour of ledgersmb. This somehow also makes it 
> the responsibility of the sql-ledger maintainer to care for ledgersmb as a 
> lenny version. If that is not the case, then the removal of sql-ledger 
> (withough any alternative) should be considered.

I agree that ledgersmb should replace sql-ledger in the long term but they
are doing major changes to the infrastructure which makes it a quite
unstable fork at the time being.

As for the responsibility of the sql-ledger maintainer, well, in an ideal
world yes ... but the fact is that the sql-ledger maintainers are a bunch
of busy guys whose interest for accounting apps is purely required by the
necessity of accounting in companies and not really by passion...

So while I'd like to already have a working ledgersmb package with a
conversion script from sql-ledger to ledgersmb, but this is not the case and I
thus disagree with a forced removal of the package.

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/



More information about the Secure-testing-team mailing list