On Fri, Sep 8, 2017 at 11:55 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 8, 2017, at 11:24 AM, Martin Pauly <pauly@hrz.uni-marburg.de> wrote:
IMO, there one good idea in the Debian approach: Treat security fixes sperately from any functional changes. No matter what improvements a new version brings, you almost always want to have a stable, secure environment you can build your next enhancement on.
That's fine... but the result is that *we* take the hit of supporting their users who refuse to upgrade.
There are people who complain about bugs, get told they're already fixed in newer versions, and then complain that they MUST use the upstream distribution.
Well, if you won't upgrade and they won't support you, why is it *my* problem? Don't complain to me if you stapled your feet to the floor.
I think the problem arise because users see the debian directory, and expect to build it successfully (i.e. following https://wiki.freeradius.org/building/Debian-and-Ubuntu). But that fails for debian 9. IMHO some possible options are: (a) add some instructions (e.g. on https://wiki.freeradius.org/building/Debian-and-Ubuntu), something like 'if you're absolutely sure you're using patched/non-vulnerable versions of openssl, then you can edit these files manually, but don't complain if it's broken", and so on. And point any debian-package-related queries there. OR (b) someone who cares-enough about having latest FR runs on debian need to find better check methods (e.g. add versions known as safe, etc). Possibly still include some instructions on the wiki (if user still need to edit config files manually to remove additional version checks). OR (c) a volunteer steps up to maintain latest (unofficial) FR packages for debian, to make it easier for other debian users. You could even use github to host the repository, so no need to maintain your own server. You'd basically just need time to maintain it. -- Fajar