Removal request for trousers (now in EL 5.2 with a lower EVR)
Konstantin Ryabitsev
icon at fedoraproject.org
Sat Aug 2 12:30:48 UTC 2008
On Sat, Aug 2, 2008 at 7:19 AM, Thorsten Leemhuis <fedora at leemhuis.info> wrote:
> Hi all!
>
> The maintainer of the package "trousers" asked the epel-signers to pull that
> package from the EPEL repos as it's in EL since 5.2 now. I would have simply
> done it, but it turned out that the EVR in EPEL is higher then the one in
> EL:
>
> $ sudo yum list trousers
> trousers.x86_64 0.3.1-5.el5 epel
> trousers.i386 0.3.1-5.el5 epel
> $ sudo yum list trousers --disablerepo=epel
> trousers.i386 0.3.1-4.el5 rhel-x86_64-serv
> trousers.x86_64 0.3.1-4.el5 rhel-x86_64-serv
>
> So what do do? I tend a bit to say "remove it as long as the RHEL maintainer
> promises to ship the next updates with a release of '6' or higher". But that
> has downsides as well :-/ .
>
> Comments?
The "naked" truth is -- I've asked the same question a while ago and
nobody answered me. I maintain "python-setuptools" in EPEL, and it was
included in RHEL5.2 -- also with a lower version. Honestly, there is
no good solution to this, as removing the package from EPEL won't do
much for those who already have it installed. This actually have bad
security repercussions -- if EPEL used to provide foo-1.2 and RHEL5.2
ships with foo-1.1, then if there is a security issue with both of
them, RH will likely backport it to foo-1.1 and thus everyone who had
it installed from EPEL will remain vulnerable.
The *only* viable solution for when packages are pulled in from EPEL
to RHEL proper is to either pull them in at the same version as EPEL,
or to inflate the epoch for the package in RHEL so it always obsoletes
EPEL (though this can also be tricky, as downgrading foo-1.2 to
foo-1.1 can has undesired side-effects).
This is a policy decision that needs to be worked out between EPEL and
RHEL -- preferably ASAP.
Regards,
--
Konstantin Ryabitsev
Montréal, Québec
More information about the epel-devel-list
mailing list