#5963 Orphaned vulnerable packages in EPEL
Closed: Fixed None Opened 5 years ago by sparks.

The following packages are orphaned and have vulnerabilities open against them.

couchdb - epel-all
ejabberd - epel-5
erlang - epel-5
horde - epel-all
libmodplug - epel-5 and epel-6
libupnp - epel-all
mantis - epel-5
maradns - epel-5
mediawiki - epel-5
mediawiki116 - epel-all
mod_wsgi - epel-5
moin - epel-5
openjpeg - epel-5
osc - epel-6
php-magpierss - epel-all
php-suhosin - epel-all
pki-common - epel-5
polipo - epel-all
python26-mod_wsgi - epel-5
python26-simplejson - epel-5
qemu - epel-5
revelation - epel-5
telepathy-gabble - epel-6
tigase-server - epel-all
torque - epel-all
wordpress-mu - epel-5
xinha - epel-5
zope - epel-5

Can we retire these packages?


Were these retired? I heard some packages in this list being removed but I didn't see any update to this ticket. If these have been retired I'll go through and close open bugs against the packages.

discussed in todays meeting: https://meetbot.fedoraproject.org/fedora-meeting-1/2014-09-22/releng.2014-09-22-15.37.log.html

The idea is to add a generic approach to handle this with reporting dependencies before doing more about these packages.

mediawiki was dropped quite a while ago from EPEL6. It should be dropped from EPEL5 too. There are also:

{{{
mediawiki.x86_64 1.14.0-45.el5 epel
mediawiki-Cite.noarch 0-0.3.20080901svn.el5 epel
mediawiki-LdapAccount.noarch 0.1-1.el5 epel
mediawiki-ParserFunctions.noarch 1.1.1-1.20080520svn35130.el5 epel
mediawiki-SpecialInterwiki.noarch 0-0.4.svn49252.el5 epel
mediawiki-math.x86_64 1.14.0-45.el5 epel
mediawiki-nomath.x86_64 1.14.0-45.el5 epel
mediawiki-rss.noarch 1.5-2.el5 epel
mediawiki-wikicalendar.noarch 1.16-1.el5 epel
}}}

These have all been take care of, going forward packages should be detected and cleaned up faster.

Okay, I still see mantis in EPEL 5.

Actually I see the following packages still in EPEL:

mantis - epel-5[[BR]]
mod_wsgi - epel-5 [[BR]]
php-magpierss - epel-all [[BR]]
php-suhosin - epel-all[[BR]]
polipo - epel-6[[BR]]
python26-mod_wsgi - epel-5 [[BR]]
python26-simplejson - epel-5 [[BR]]
qemu - epel-5 [[BR]]
revelation - epel-5 [[BR]]
tigase-server - epel-all [[BR]]
torque - epel-all [[BR]]
xinha - epel-5 [[BR]]
zope - epel-5

Here is a status update. I will update the comment after I checked other branches. Here is an update for EPEL5:

Replying to [comment:8 sparks]:

Actually I see the following packages still in EPEL:

mantis - epel-5[[BR]]

not orphaned since 2014-11-09

PoC: giallu (giallu, group::provenpackager, llaumgui, slankes)

mod_wsgi - epel-5 [[BR]]

not orphaned since 2014-11-06

PoC: orion (group::provenpackager, jkaluza, jokajak, jorton, joshkayse, lmacken, orion)

php-magpierss - epel-all [[BR]]

  • will be retired in EPEL 5 today

php-suhosin - epel-all[[BR]]

  • will be retired in EPEL 5 today

polipo - epel-6[[BR]]
python26-mod_wsgi - epel-5 [[BR]]

Not orphaned since 2014-05-30

PoC: lmacken (group::provenpackager, lmacken)

python26-simplejson - epel-5 [[BR]]

will be retired soon

qemu - epel-5 [[BR]]

This is not orphaned since 2014-05-14

revelation - epel-5 [[BR]]

This should not be there since 2014-12-17

tigase-server - epel-all [[BR]]
torque - epel-all [[BR]]
xinha - epel-5 [[BR]]

will be retired today

zope - epel-5

Cannot be retired currently because it is a dependency for fedpkg (via several other pkgs)

This depends on ticket:5963 for fedpkg-minimal in EPEL.

this has now been completed

Metadata Update from @sparks:
- Issue set to the milestone: Fedora 20 Final
- Issue tagged with: meeting

2 years ago

Login to comment on this ticket.

Metadata