Security/support status of packages

Martin Pitt martin.pitt at
Fri Feb 8 08:47:55 GMT 2008

Matt Zimmerman [2008-02-07 14:58 +0000]:
> I disagree; highlighting a problem without a solution makes the user feel
> worse, not better.

But the alternative is to not highlight the problem at all, which is
even worse. At least the user would be aware that he has an
unsupported and potentially dangerous package installed.

I saw a lot of complaints from users who installed some universe
packages like clamav and were absolutely surprised (and furious) when
they got to know that these had a ton of unfixed vulns. This sheds a
very bad light at us, since we do not communicate clearly which
packages are actually 'safe' to install, but we do enable
universe/multiverse by default now.

> The best response we could offer would be to provide a button to
> uninstall the vulnerable application, but would that actually help?

Most users who don't care will keep it, but at least they are aware of
it and we do not hide the problem from them.

We cannot solve the problem properly, because there is too much crack
in universe which is unmaintainable security-wise (which is one of the
reason why we have the main/universe boundary and MIR checks). So I
agree that the best thing we can do is to properly communicate it.

Martin Pitt
Ubuntu Developer
Debian Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 

More information about the ubuntu-devel mailing list