> A package update may be necessary because IIRC mpg321 is Required by > other packages in RH7.x, meaning removing mpg321 may be an infeasible > suggestion in the update notification. Please somebody check on this > and report back. > > I personally feel that removing mpg321 or crippling its functionality in > Legacy is not much of a loss, since the majority of Legacy users are > servers. Maybe some businesses use Legacy for workstations, but think > of a broken MP3 decoder as productivity gain? =) It's not about business it's about screwing somebody up and surprising them when the legacy repository breaks something on their system which used to work. What if this program were something to do with mail processing that suddenly became legally complicated to update? You wouldn't just break someone's mail system? So it's just mp3 playing but we shouldn't surprise people with the change. I recommend issuing a comment about mp3 players and libraries being deprecated and legal reasons make them impossible to be updated. Last I checked this particular vulnerability isn't all that nasty anyway. Let people know that there is a vulnerability and that we can't patch it. They can discover the patches/fixes for themselves. Heck, maybe some enterprising young soul will drop an anvil on that particular bug and squash it. :) -sv
