On Wed, Jul 31, 2002 at 11:21:19AM +1000, Brian May wrote: > However, this discussion is seems pointless, it might be better just to > fork the Debian archive and create another archive for security updates > in it that do not meet Debians strict criteria for security updates... So how about we stop trying to use the same words for two completely different things, and see if there _is_ some reasonable way for us to handle this. Security updates are fixes to problems that allow undue access to your system. That's not what you're talking about. You're talking about updates to security-related software: virus checkers, scriptkiddie checkers, and the like. (Actually, to digress, are there actually packages of this nature that work well?) The properties of that sort of software is probably: * when it gets out of date, it becomes substantially less usefull: a transparent web filter that's a few weeks old sucks when a new CodeRed type thing comes out; likewise an email virus checker that doesn't cope with the latest variant in .jpeg viruses * "updates" often involve significant rewrites of code, rather than just changing a datafile, which could cause security problems of its own, and doesn't match the "backports only" policy for stable Since stable revisions only come every couple of months, it's possible that they're just not frequent enough for security products, so you might need to setup some other archive anyway. But even so, you probably want to ask "why deliver something five months out of date, when you could have something only two months out of date?" The backports only policy is trickier. It'd bad to violate that because most people just aren't infallible enough to get things right first time every time, and it's rare for packages to get anywhere near as much testing before they hit stable as after they do so. The kernel's an exception; there may be reason to make some security-related packages exceptions too. It'd probably be more reasonable to do so if any non-backport updates for stable of amavis etc had already been used by lots of people, which is probably a reason to setup some other archive for that, too. Or not. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``If you don't do it now, you'll be one year older when you do.''
Attachment:
pgp5uSwkUTEnO.pgp
Description: PGP signature