On 07/02/2017 03:09 AM, Ralf Mardorf wrote:
Hi,
I understand that users should decide on their own, if they wish to install high risk vulnerable software, so I'm not writing because a deletion request was rejected.
I want to make a suggestion.
A pinned comment could warn about the high security risk and assuming that upstream of the original software shouldn't fix vulnerabilities, at least recommend to ask upstream of software that requires such software as a dependency, to get rid of this dependency, instead of installing the vulnerable software.
I'm not sure if everybody is aware of the risks a package like
https://aur.archlinux.org/pkgbase/webkitgtk/ https://aur.archlinux.org/packages/webkitgtk2/
does cause.
When providing such a PKGBUILD, is speaking anything against a short pinned comment?
... That is entirely up to the maintainer of said package. Even if it weren't entirely up to the maintainer to pin comments, who are you proposing should be responsible for determining what packages should come with warnings, and then providing such warnings? And what makes you think people will *see* those warnings for packages that are typically not installed on their own, but as dependencies for something else? Next! -- Eli Schwartz