Remove sql-ledger from devel/yakkety
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sql-ledger (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Please remove sql-ledger source and binary packages from devel/yakkety
Rationale:
This should be removed from the Ubuntu archive because neither Ubuntu nor Debian are actively maintaining this package. It is not tracking upstream - latest upstream version is 3.2.1 and latest Debian and Ubuntu package releases are 3.0.8. 3.2.0 was released six months ago.
It has open CVEs dating back to 2007 which "allows remote attackers to read and overwrite arbitrary files, and execute arbitrary code".
The packaging note explicitly states that it is not receiving security updates ("This package does not benefit from serious security support") but the package deals with accounting and money which require a high degree of security and trust.
$ reverse-depends sql-ledger
No reverse dependencies found
| Jeremy Bícha (jbicha) wrote | #2 |
| Jamie Strandboge (jdstrand) wrote | #3 |
| Changed in sql-ledger (Ubuntu): | |
| status: | New → Fix Released |
Thanks for taking your time to report this issue and help making Ubuntu better.
I'm not familiar with the process for package removal, but it might be preferable to request removal in Debian in which case Ubuntu would follow in line. I assume the same issues affect Debian.
I've subscribed the Ubuntu package archive team, which oversee addition and removal of packages. They probably know more about it.