On Fri, Mar 18, 2011 at 10:13:00AM -0400, Nico Kadel-Garcia wrote:
> On Fri, Mar 18, 2011 at 10:07 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> > On Thu, Mar 17, 2011 at 11:33:41PM -0400, Nico Kadel-Garcia wrote:
> >> The 1.6.16 has some minor build-structure changes that have broken the
> >> SRPM's. I'm wondering if it's even worth pursuing, for environments
> >> that don't rely on HTTP/HTTPS authentication, especially because I'm
> >> such a long-standing deprecator of that approach. (This is because the
> >> Linux and UNIX clients store the passwords for HTTP/HTTPS access in
> >> clear text.)
> >
> > That's not a good reason to neglect a security update. There are folks who
> > need the update. Not that you're obliged to provide one -- you're doing
> > voluntary work, afterall. But I'd expect that a package maintainer to
> > keep the entire userbase in mind. Not just those running particular setups.
> > It's not as if a Subversion HTTP/HTTPS setup was an unsupported use case.
>
> You've a point, but enabling people to repeat the errors of
> mishandling stored passwords is not that high on my priority list.
Fair enough.
I will stop recommending RPMforge packages until more responsible
maintainers show up.
> And the creeping changes to the build structure are making it more awkward
> to maintain. If 1.7.0 is coming out soon, I'm not clear it's worthy my
> efforts to even bother with this minor release.
1.7.0 isn't coming out soon.
Received on 2011-03-18 15:27:38 CET