Re: Fwd: Should package.el support notifying on package security updates?

[Tim Cross]

Stefan Kangas <stefankangas@gmail.com> writes:

> Tim Cross <theophilusx@gmail.com> writes:
>
>> - There are actually very few security issues reported for Elisp
>>   packages. This doesn't mean there aren't any, only that they are
>>   discovered and reported very rarely.
>
> If they are rare, that doesn't make them less important.
>

and at no point did I imply they were. 

>> - It would require package maintainers to somehow flag that an update is
>>   a security update
>
> I find the maintainers of important packages to be highly conscientious
> people, and that goes in particular the GNU ELPA maintainers.  So I
> don't share your concerns.
>

It has absolutely nothing to do with whether the maintainers are
conscientious or not. My comments are in no way a criticism of
maintainers. In fact, my comments are in support of maintainers in that
they are arguing against adding additional complexity for something
which happens rarely and which would be difficult to achieve in a
consistent manner because of the distributed maintenance model and how
difficult it is to get consistent work flows when you have a branch that
is only used extremely rarely. 

>> I suspect if we added the functionality to flag an update as a security
>> update, it is something which happens so rarely, nobody will use it and
>> when they do, nobody will recognise what it really meant.
>
> I think people will know the meaning, because it will presumably say
> "security update" somewhere.

I think you missed my point, but no matter. If you feel it is
worthwhile, go ahead an implement it and get all the maintainers to use
it. If I'm wrong, that is great as it would not be a bad thing to
have. I just think the value it will add is far less than the effort it
will take to build and maintain and in 12 months, no maintainers will
use it because it will be such a rare work flow, they will forget.