> What we must decide upon is whether we should also issue a mpg321 > package update that removes MP3 functionality. This is only to force > the vulnerable program to uninstall from systems. I personally am in > favor of this option, but please discuss the pros & cons. > > A package update may be necessary because IIRC mpg321 is Required by > other packages in RH7.x, meaning removing mpg321 may be an infeasible > suggestion in the update notification. Please somebody check on this > and report back. > > I personally feel that removing mpg321 or crippling its functionality in > Legacy is not much of a loss, since the majority of Legacy users are > servers. Maybe some businesses use Legacy for workstations, but think > of a broken MP3 decoder as productivity gain? =) It should be safe for the user to remove mpg321: [rohwedde@fungo rohwedde]$ rpm -q --whatrequires mpg123 mpg321 no package requires mpg123 no package requires mpg321 But, I certainly don't think we have the right to remove software from someone's machine.. Whether they be in some sort of legal violation or not. I think releasing a statement suggesting removal of the offending software is certainly a responsible alternative for these situations. -jason
Attachment:
pgp00164.pgp
Description: PGP signature
