On Sun, 27 Feb 2005 14:49:32 +0000, Nigel Metheringham > I would suggest that removing a package that has significant security > implications (any MTA or significant functionality network program would > fall into this category) is not good. People depending on FC for > security updates must be made aware that suddenly they must get security > updates from elsewhere or change to an alternative package. you touch on a larger issue about how a package vendor can effectively 'expire' any package to make sure users are aware its no longer being maintained by the original vendor. Currently such notifications for Core are made in the release-notes and its up to users installing the next release of Core to review the release notes. For extras I know of no discussion on how to address issues of notification of removals when they happen in the future. I think we can all agree that relying on the userbase to read the release-notes is probably a less effective method than some tool based approach that users/admins can interact with when doing normal update tasks. The closest thing we have right now in Core are yum and up2date's ability to list orphaned packages installed on the system that do not exist as part of a repository. But even this is a reactive step that users/admins must take to police theire own system. What we need is a way to have vendors 'push' a notice of expiration in a way that the tools notice and inform the admin about as a normal course of events. I know of no on-going experiments to implement anything like this. -jef
