[bug] lunar update removes a module instead upgrading (was: Re: [Lunar-commits] <moonbase> firefox4: removed because it is not security supported - use firefox5)

Zbigniew Luszpinski zbiggy at o2.pl
Fri Jul 1 01:33:37 CEST 2011 

> >>> firefox4: removed because it is not security supported - use
> >>> firefox5
> >> 
> >> Maybe it would have been better if this had been moved to
> >> zdeprecated for a while so people had a chance to switch before it
> >> was removed. ...
> >> Sometimes it's a pain in the bum when active modules get deleted or
> >> renamed because the next time you 'lunar update' or even just 'lin
> >> moonbase' the system has no clue about the old module name any more.
> > 
> > I'm not happy too how module replacement is (not) done. We should add
> > something like module replacement table so when lunar update displays
> > message that a module was removed from moonbase it should look into
> > replacement table to see what install instead. Such table should have
> > 2 columns like:
> > firefox4 firefox5
> > to let lunar update know that when firefox4 was removed from moonbase
> > a firefox5 should be lined as an update.
> 
> When this was discussed before, my suggestion was that when a normal
> user runs 'lin moonbase' (rather than a dev with a moonbase.git) then
> lin should detect that the module has been removed/renamed and create
> a copy in zlocal. This would give the user chance to tidy up.

This way firefox4 with open security holes would silently hide inside 
zlocal forever because as you said an user do not track moonbase changes 
in git. On Windows or Linux official binary will update itself in 24 
hours. On Lunar this is not possible. I did not remove firefox4 because 
I'm bad guy but because I'm good guy who cares about users' security. 
Everyone who uses distro trusts its maintainers that they will keep it 
safe to use. Otherwise he/she will be dev or create new distro.

If there would be no security risk I would move firefox4 to zdeprecated. 
Removing something from moonbase is our way of cutting out things which 
may harm your PC.

> 
> Unfortunately I wouldn't know where to start looking in the lin code
> to implement such a feature. Maybe I'll look into it after my vacation.
> Don't hold your breath though :-)

I think you try to provide good solution (keep software installed for 
people's comfort) in a bad way (preserving unsecure software forever).
I'm against such solution because of security.

In spare time I will try to code the solution I invented today with 
upgrade table. This way we can still remove unsecure things ASAP and 
provide a way to auto-upgrade for users comfort. Of course other ideas are 
welcome.

have a nice day,
Zbigniew Luszpinski

More information about the Lunar-dev mailing list