Re: [Sks-devel] SKS debian package

[Jeffrey Johnson]

On Apr 29, 2012, at 6:24 PM, Robert J. Hansen wrote:

>> You are very very confused: db-1.85 went end-of-life
>> in like 1994
> 
> Not at all.  That advisory, if you missed it, is from 2009.
> 
> I really don't care if db-1.85 was EOLed in 1994, 1984, or 1974.  What I
> care about is that it *is still used today* and there are, within recent
> memories, reports of serious problems with Berkeley DB.  This counters
> what you say in "if there were any BDB 'security releases', you might
> have a point."

It is still used today solely because the talent pool
diminashes, and distros (like Debian) have chosen
a marketing model based on sheer "bloat" rather
than on engineering relevancy.

> 
> There have been security problems with BDB, either directly in BDB or in
> the software ecosystem surrounding BDB, and I believe sks is well-served
> to avoid the embedding problem by using dynamic linking.  And that's all
> I have to say on the subject.

Again
        Show me the CVE that makes my statements a liar.

I think SKS would be better served by choosing _SOME_ version
of Berkeley DB and creating a standalone distribution than
any other means.

This *is* a list about SKS usage, not about Debian maintainers and politics,
which is where this thread started.

If Debian can't figure out how to upgrade SKS, others -- with more
skill -- can.

73 de Jeff