Re: Preparation of Debian GNU/Linux 3.0r1

[Martin Schulze <joey@infodrom.org>]

Martijn van Oosterhout wrote:
> On Sat, Nov 02, 2002 at 11:28:51PM +0100, Martin Schulze wrote:
> > Preparation of Debian GNU/Linux 3.0r1
> > =====================================
> > postgresql          stable    7.2.1-2          alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390, sparc, source
> > postgresql          updates   7.2.2-0.woody.1  alpha, hppa, i386, mips, mipsel, s390, source

> > 	Version 6.5.3-27.2 would be DSA-165 postgresql - buffer overflows
should've read  7.2.1-2woody2

> > 	Version 7.2.2-0.woody.1 is not an authorized new upstream version.
> > 
> > 	Files from DSA-165 got lost though
> 
> In what way is it not an authorised upstream version? It was released on
> August 24[1] to fix precisely these security issues. Anyway, it should
> really be 7.2.3 to fix the critical data corruption bug[2] (for which there
> wasn't a DSA) but I notice that one hasn't shifted into testing yet.

It is not authorized in the sense that it's a new upstream version
that should not go into an updated stable Debian release.  As stated
several times by several people, the stable Debian release is to stay
as it is, with all bugs and features, except for security, after it is
released.

That means security updates are rather backported than slipped in by a
new upstream version.  As you can guess 7.2.1 is a different version
than 7.2.2, and in fact includes more than just security updates.  The
security updates were included in the version of postgresql which is
distributed through security.debian.org, but the packages were
rejected by the archive janitor since a package with a higher version
number was already uploaded.

Regards,

	Joey

-- 
Every use of Linux is a proper use of Linux.  -- Jon "Maddog" Hall

Please always Cc to me when replying to me on the lists.