> > I trust Stefan is reading this thread and will do something about it. My vote would
> > be to remove the download link to the windows executables and ask Debian to remove
> > the elog package. I think they have a way for upstream developers (Stefan) to request
> > removal of unmaintained out-of-date insecure versions of their stuff. ROOT
> > was in the same situation years ago, the Debian package for ROOT was very old version,
> > also built incorrectly, and everybody complained to us that our stuff does
> > not work (midas, rootana, etc).
> Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
> switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
> If anybody can compile the Windows version with the current source code I would be happy.
it would be good if the current state was listed in https://elog.psi.ch/elogs/Vulnerabilities/
It seems there's now updated builds for at least windows, and the debian package still outdated?
Personally, I don't think removing download links and pulling packages should be more than a temporary measure.
Treating people fairly IMHO means they should be able to reach a safe version by the same means that brought and left them exposed.
A clear central source would be best, one that has
- package autobuilds
- cve list
If I understand correctly, currently only the source is up to date?
(I found py_elog on Github, so it could be an easy option to mirror ELOG there and let some free service handle the autobuilds.
I don't know how well one can flag vulnerabilities there, but likely it's possible, and ideally more people would help there.)
p.s.: My hat is off to the sysadmin who checked carefully, I wanted to introduce ELOG in a windows-centric place and I can't swear I would have checked this (official) download as well.