[Popcon-developers] Bug#97045: Please track package versions

Sandro Tosi morph at debian.org
Mon Nov 3 22:39:56 UTC 2014


Hello Bill,

On Mon, Nov 3, 2014 at 10:10 PM, Bill Allombert <ballombe at debian.org> wrote:
> On Fri, Oct 31, 2014 at 09:24:05PM +0000, Sandro Tosi wrote:
>> Hello,
>> It would be really interesting to start reporting also the version of
>> the package, for example it could answer questions like: how many have
>> installed the last upload in sid vs the version in testing?
>
> The time granularity of popcon is larger than the current delay between
> sid and testing, so I doubt it would work.

I dont see the point here: if the user doesnt install the package, it
could be in the archive for weeks/months but they will still have the
older version.

>> I think
>> the default visualization should remain as is, but with the
>> possibility to drill down on versions.
>>
>> I dont honestly see how reporting a version cloud leak any personal
>> information or violate one's privacy, as long as we report versions
>> released on debian archives.
>
> If you still use an outdated version of a package with a security hole, you
> might not want to broadcast the fact, even if the package was part of the
> Debian archives in the past, and even if you do not know yet about the hole.

but there is no correlation between who submitted the report and the
value in it, so just knowing that there someone with the popcon active
on their machine with a security hole (which is different than
*exploitable*) is no much more knowledge than "there are system still
running linux 2.0 on the internet, let's go exploit them".

Cheers,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi



More information about the Popcon-developers mailing list