Re: Debian 3.0r1
On Wed, Jul 31, 2002 at 01:21:41PM +1000, Anthony Towns wrote:
> So how about we stop trying to use the same words for two completely
> different things, and see if there _is_ some reasonable way for us to
> handle this.
> Security updates are fixes to problems that allow undue access to
> your system. That's not what you're talking about.
So if we call these "Security updates"...
> You're talking about updates to security-related software: virus checkers,
> scriptkiddie checkers, and the like. (Actually, to digress, are there
> actually packages of this nature that work well?) The properties of that
> sort of software is probably:
> * when it gets out of date, it becomes substantially less usefull:
> a transparent web filter that's a few weeks old sucks when a new
> CodeRed type thing comes out; likewise an email virus checker
> that doesn't cope with the latest variant in .jpeg viruses
> * "updates" often involve significant rewrites of code,
> rather than just changing a datafile, which could cause security
> problems of its own, and doesn't match the "backports only"
> policy for stable
...what do we call these updates?
I think we need a formal name to prevent further confusion.
> Since stable revisions only come every couple of months, it's possible
> that they're just not frequent enough for security products, so you might
> need to setup some other archive anyway. But even so, you probably want
> to ask "why deliver something five months out of date, when you could
> have something only two months out of date?"
> The backports only policy is trickier. It'd bad to violate that because
> most people just aren't infallible enough to get things right first time
> every time, and it's rare for packages to get anywhere near as much
> testing before they hit stable as after they do so. The kernel's an
> exception; there may be reason to make some security-related packages
> exceptions too. It'd probably be more reasonable to do so if any
> non-backport updates for stable of amavis etc had already been used by
> lots of people, which is probably a reason to setup some other archive
> for that, too.
Brian May <email@example.com>