On Fri, Mar 18, 2011 at 10:07 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> On Thu, Mar 17, 2011 at 11:33:41PM -0400, Nico Kadel-Garcia wrote:
>> The 1.6.16 has some minor build-structure changes that have broken the
>> SRPM's. I'm wondering if it's even worth pursuing, for environments
>> that don't rely on HTTP/HTTPS authentication, especially because I'm
>> such a long-standing deprecator of that approach. (This is because the
>> Linux and UNIX clients store the passwords for HTTP/HTTPS access in
>> clear text.)
>
> That's not a good reason to neglect a security update. There are folks who
> need the update. Not that you're obliged to provide one -- you're doing
> voluntary work, afterall. But I'd expect that a package maintainer to
> keep the entire userbase in mind. Not just those running particular setups.
> It's not as if a Subversion HTTP/HTTPS setup was an unsupported use case.
You've a point, but enabling people to repeat the errors of
mishandling stored passwords is not that high on my priority list. And
the creeping changes to the build structure are making it more awkward
to maintain. If 1.7.0 is coming out soon, I'm not clear it's worthy my
efforts to even bother with this minor release.
Received on 2011-03-18 15:13:31 CET