remove phpmyadmin from archive

There are (as of today) 9 unfixed 'medium' criticality CVEs affecting bionic (many more on xenial, but none of higher severity) according to https://people.canonical.com/~ubuntu-security/cve/pkg/phpmyadmin.html

Would it be better to remove this package from existing releases altogether, if such can be done policy-wise and technically, to prevent users growing a false sense of security?

for the record, a new phpmyadmin is being worked on at Debian, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916310

Nevertheless, the current version is so old and brittle, that removal from the archives is probably a good idea.

On Wed, Jul 24, 2019 at 07:06:40PM -0000, Tom Reynolds wrote:
> Would it be better to remove this package from existing releases
> altogether, if such can be done policy-wise and technically, to prevent
> users growing a false sense of security?

I don't believe we've taken this step before. Even when eg bitcoin
software was entirely useless due to being out of date from the protocol
in use, I don't believe we pushed updates to remove the software from user
machines nor prevent them from installing it in the future.

Thanks

> Even when eg bitcoin software was entirely useless due to
> being out of date from the protocol in use, I don't believe
> we pushed updates to remove the software from user machines
> nor prevent them from installing it in the future.

We actually did authorize such an SRU, because the bitcoin client was not just useless, it was actively harming the bitcoin network. I don't recall if this was actually done, but the precedent does exist.

Removing packages from eoan:
 phpmyadmin 4:4.6.6-5 in eoan
  phpmyadmin 4:4.6.6-5 in eoan amd64
  phpmyadmin 4:4.6.6-5 in eoan arm64
  phpmyadmin 4:4.6.6-5 in eoan armhf
  phpmyadmin 4:4.6.6-5 in eoan i386
  phpmyadmin 4:4.6.6-5 in eoan ppc64el
  phpmyadmin 4:4.6.6-5 in eoan s390x
Comment: Request of security; removed from Debian testing, LP: #1837775, Debian bug #920822 et al
1 package successfully removed.

On Wed, Sep 04, 2019 at 04:52:18PM -0000, Steve Langasek wrote:
> We actually did authorize such an SRU, because the bitcoin client was
> not just useless, it was actively harming the bitcoin network. I don't
> recall if this was actually done, but the precedent does exist.

Here's the diff I found last time I went looking for this precedent:
http://launchpadlibrarian.net/181578432/bitcoin_0.3.24~dfsg-1ubuntu0.1_0.3.24~dfsg-1ubuntu0.2.diff.gz

It was actually published to precise-updates:
https://launchpad.net/ubuntu/+source/bitcoin/0.3.24~dfsg-1ubuntu0.2

Thanks

Hello,

Just wanted to let you know that we have uploaded a new version to our PPA https://launchpad.net/~phpmyadmin/+archive/ubuntu/ppa

A lot of work is made to have the new version uploaded to buster-backports

https://salsa.debian.org/phpmyadmin-team/phpmyadmin/issues/1

We are currently blocked because the ftp team did not review are packages that are the new dependencies of phpmyadmin 4.9.0.1

Regards,
William Desportes

Hi, was looking to install phpmyadmin 4.9.1 on a ubuntu 19.10 beta system but it's not in the a repository. Was able to manually install it but kind of a pain. I am guessing that phpmyadmin will not be available for 19.10 nor will a Eoan ppa be available??

Hi Rob, I can't speak for the Ubuntu release team but I'll give my understanding of the situation:

since Eoan is past feature freeze and Debian import freeze, phpmyadmin won't be included in the 19.10 release.

Once the next release is opened, Ubuntu will automatically import phpmyadmin from Debian if William and his team have brought it through the NEW packaging process in Debian. There may or may not be steps that you can do to help out, it might be worth looking through the Salsa issue tracker to see if there's things you can do to contribute.

Thanks