I'm wondering why the squirrelmail package has a php4 -or- php5
dependency http://packages.debian.org/en/lenny/squirrelmail I updated from etch to lenny long time ago, but I still had etch's php4
installed through this optional dependency, because lenny does not have
any php4 packages (only php5).
Furthermore, there is no security support for etch anymore, so it would
result in using a rather old php4 package without security support?
imho, deborphan only tells you which packages are not used by other
packages on your system.
but in the case i told, the etch php4 package is used (by squirrelmail)
under lenny (when you upgrade from etch to lenny).
Therefore deborphan does not show it.
the squirrelmail package allows you to use the old etch php4 package,
though there is no php4 within lenny.
therefore, the php package won't get updated, ever.
Rolf Kutz wrote:
> On 21/02/10 16:19 +0000, Benjamin Vetter wrote:
>> Furthermore, there is no security support for etch anymore, so it
>> would result in using a rather old php4 package without security
> It's recommended to check your system with
> deborphan after upgrading to a new release.
plainpicture GmbH & Co. KG
Eimsbütteler Chausse 23
++49 40 80 81 288 46
On Sun, February 21, 2010 17:19, Benjamin Vetter wrote:
> I'm wondering why the squirrelmail package has a php4 -or- php5
> dependency http://packages.debian.org/en/lenny/squirrelmail > I updated from etch to lenny long time ago, but I still had etch's php4
> installed through this optional dependency, because lenny does not have
> any php4 packages (only php5).
> Furthermore, there is no security support for etch anymore, so it would
> result in using a rather old php4 package without security support?
As you sent this message to both the debian-security ML and
[hidden email], I'll now repeat my response to your mail to the
security team below, so the participants in this mailinglist can also
enjoy its content.
I do not agree that this is a security issue. What the SquirrelMail
package claims is correct, namely that it supports running on both PHP4 or
PHP5. Debian normally does support, where possible, running a 'mixed
system' or 'partial upgrade', where you would e.g. run Etch but did
already upgrade SquirrelMail to a newer version.
That you are still using obsoleted packages not supported by Debian is
something that is the responsibility of the package manager to inform you
about, or, better, for the administrator to inform himself about using
tools like the package manager. E.g. aptitude does display obsolete
packages being in use.
The question of whether packaging tools should be more explicit about
users having packages installed after upgrade which are not present in the
newer release anymore, is an older one, but may have some merit. However,
this is ultimately a choice of the administrator and the package manager
can never know whether this is a deliberate choice by the admin. E.g.,
installing packages by hand through 'dpkg -i' is a valid use case on a
If you think that the package manager should be more explicit in this,
then I'm sure your help in improving APT on this point is much appreciated
by the APT team. However, this is not a bug in squirrelmail.
And for the record, the php4 dependencies have been removed in post-Lenny
versions of the squirrelmail package. because Lenny doesn't have php4