[arch-general] out of date packages - an observation
After the recent dicsussion(s) around this topic I thought it worthwhile to go through where things stand. I went through all the packages flagged out of date on the website and focused on what I viewed as the "more important" ones (this is IMHO of course ... I'm sure others have differnt views). Regardless of how out of date a package is, if a new package was in testing I did not include it here. Of those that passed my sufficiently important filter: I found only 2 packages more than 1 week old and 3 less than a week - 2 of which were released upstream today. One is more than 9 months out of date (refind-efi). Here's what I found orderd most out of date at the top.. refind-efi - Arch vesion 0.9.2 as of 9/22/2015 - Upstream has 0.10.3 from 4/24/2016 - this one is very out of date - - be good to have this updated. openssl - Arch has 1.0.2.h - Out of date as of 8/25/2016 - 1.1.0 was released upstream on 8/25/2016 dkms - Out of date as of 9/1/2016 - Arch Package website refers to dell.com should be changed to https://github.com/dell/ util-linux - 2.28.2 was released today - - arch has 2.28.1 released 8/11/2016 linux - 4.7.3 is out of date as of today -- Gene lists@sapience.com
On Wed, Sep 07, 2016 at 11:51:20AM -0400, Genes Lists via arch-general wrote:
openssl - Arch has 1.0.2.h - Out of date as of 8/25/2016 - 1.1.0 was released upstream on 8/25/2016
This one is a most difficult case. a) 1.0.2.h is still a supported LTS release, so in terms of security this is not a huge problem. b) Even if a program compiles against 1.1.0, it still needs to be verified if that program has been updated for 1.1.0 because of subtle API breakage (functions behaving differently, suddenly returning values that need to be checked, etc). c) Even Some major software packages do not support 1.1.0 yet [1]. In the light of the latter two points, a number of packages using OpenSSL needs to be reviewed carefully. I'm sure the package maintainer is aware of this, so some waiting is inevitable and understandable. -- [1] https://bugs.python.org/issue26470
On 09/07/16 at 11:51am, Genes Lists via arch-general wrote:
After the recent dicsussion(s) around this topic I thought it worthwhile to go through where things stand.
I went through all the packages flagged out of date on the website and focused on what I viewed as the "more important" ones (this is IMHO of course ... I'm sure others have differnt views). Regardless of how out of date a package is, if a new package was in testing I did not include it here.
Not sure what you are trying to achieve with this email, but it's actually a bit worse. We have 189 (i686/x86_64 included) packages which are out of date for more than 30 days in our repos. Then again I don't have any historical data of how many out of date packages we usually have. -- Jelle van der Waa
On Thu, 2016-09-08 at 10:15 +0200, Jelle van der Waa wrote:
Not sure what you are trying to achieve with this email, but it's
My point was just that by focussing on the more important packages, it seems to me Arch is doing pretty well in my view - the glass is half full so to speak.
actually a bit worse. We have 189 (i686/x86_64 included) packages which
Yep indeed - I did the count approach as well at first - but I found it more helpful to poke around a little more and try to take into consideration importance, don't double count different arch's, dont double count related packages (e.g. gambas*, util-linux and libutil- linux etc). My goal was to tease apart the raw counts into something I found more meaningful. It is certainly true that different folks will lkely view importance differently or have different perspectives to my own. I'm only speaking for myself here. As an aside - both the 4.7.3 kernel and util-linux are already up to date :-) gene
-- Gene lists@sapience.com
On Thu, 08 Sep 2016 10:27:23 -0400, Genes Lists via arch-general wrote:
On Thu, 2016-09-08 at 10:15 +0200, Jelle van der Waa wrote:
Not sure what you are trying to achieve with this email, but it's
My point was just that by focussing on the more important packages, it seems to me Arch is doing pretty well in my view - the glass is half full so to speak.
IMO your intention was unambiguous :).
participants (4)
-
Genes Lists
-
Jelle van der Waa
-
lists@2ion.de
-
Ralf Mardorf