tgamblin
commented
5 years ago I think it would be nice to have an option for version() like preferred=True, e.g. insecure=True or cve=True, where we can also deprecate certain versions, without removing them. Users might be prompted or might have to supply -f to install unsafe things.
One of the goals of Spack is to be reproducible, e.g. for science applications, so I'd like to keep the ability to build old things, but yes, it's good to also not recommend bad versions to users.
Just going through the versions supported by Spack, i wanted to ask if allowing people to install versions of git that are insecure is a good idea, as curators of a package collection. I know with LMOD i can deprecate modules, to warn people away https://lmod.readthedocs.io/en/latest/140_deprecating_modules.html
is there a way to throw a warning about issues like this planned?