Re: Debian 3.0r1
- To: Debian Development <debian-devel@lists.debian.org>
- Subject: Re: Debian 3.0r1
- From: Brian May <bam@debian.org>
- Date: Thu, 8 Aug 2002 11:55:43 +1000
- Message-id: <[🔎] 20020808015543.GB313@snoopy.apana.org.au>
- Mail-followup-to: Brian May <bam@debian.org>, Debian Development <debian-devel@lists.debian.org>
- In-reply-to: <20020731032141.GB23126@azure.humbug.org.au>
- References: <Pine.LNX.4.44.0207221108450.1649-100000@samadhi.braincells.com> <20020725180702.GC12477@finlandia.infodrom.north.de> <20020725233548.GB23566@snoopy.apana.org.au> <1027674138.1130.8.camel@atlas> <20020727020750.GG15410@snoopy.apana.org.au> <20020729180311.GD9737@finlandia.infodrom.north.de> <20020729232427.GB11012@snoopy.apana.org.au> <20020730075731.GA10004@finlandia.infodrom.north.de> <20020731012119.GD30485@snoopy.apana.org.au> <20020731032141.GB23126@azure.humbug.org.au>
On Wed, Jul 31, 2002 at 01:21:41PM +1000, Anthony Towns wrote:
> So how about we stop trying to use the same words for two completely
> different things, and see if there _is_ some reasonable way for us to
> handle this.
>
> Security updates are fixes to problems that allow undue access to
> your system. That's not what you're talking about.
So if we call these "Security updates"...
> You're talking about updates to security-related software: virus checkers,
> scriptkiddie checkers, and the like. (Actually, to digress, are there
> actually packages of this nature that work well?) The properties of that
> sort of software is probably:
>
> * when it gets out of date, it becomes substantially less usefull:
> a transparent web filter that's a few weeks old sucks when a new
> CodeRed type thing comes out; likewise an email virus checker
> that doesn't cope with the latest variant in .jpeg viruses
>
> * "updates" often involve significant rewrites of code,
> rather than just changing a datafile, which could cause security
> problems of its own, and doesn't match the "backports only"
> policy for stable
...what do we call these updates?
I think we need a formal name to prevent further confusion.
> Since stable revisions only come every couple of months, it's possible
> that they're just not frequent enough for security products, so you might
> need to setup some other archive anyway. But even so, you probably want
> to ask "why deliver something five months out of date, when you could
> have something only two months out of date?"
Yes. Exactly.
> The backports only policy is trickier. It'd bad to violate that because
> most people just aren't infallible enough to get things right first time
> every time, and it's rare for packages to get anywhere near as much
> testing before they hit stable as after they do so. The kernel's an
> exception; there may be reason to make some security-related packages
> exceptions too. It'd probably be more reasonable to do so if any
> non-backport updates for stable of amavis etc had already been used by
> lots of people, which is probably a reason to setup some other archive
> for that, too.
--
Brian May <bam@debian.org>
Reply to: