On Thu, 8 Jan 2004, Jason wrote: > > > What we must decide upon is whether we should also issue a mpg321 > > package update that removes MP3 functionality. This is only to force > > the vulnerable program to uninstall from systems. I personally am in > > favor of this option, but please discuss the pros & cons. > > > > A package update may be necessary because IIRC mpg321 is Required by > > other packages in RH7.x, meaning removing mpg321 may be an infeasible > > suggestion in the update notification. Please somebody check on this > > and report back. > > > > I personally feel that removing mpg321 or crippling its functionality in > > Legacy is not much of a loss, since the majority of Legacy users are > > servers. Maybe some businesses use Legacy for workstations, but think > > of a broken MP3 decoder as productivity gain? =) > > It should be safe for the user to remove mpg321: > > [rohwedde@fungo rohwedde]$ rpm -q --whatrequires mpg123 mpg321 > no package requires mpg123 > no package requires mpg321 Mind you, you can't trust --whatrequires <package> output *at all* because it doesn't look at library dependencies, only anything that has direct "Requires: <package>". To get full dependency info you'll need to do something like rpm -q --whatrequires `rpm -q --provides mpg123` - Panu -
