Re: Proposal for removal of mICQ package

[Florian Weimer <fw@deneb.enyo.de>]

Steve Kemp <skx@debian.org> writes:

>   As for security updates - what kind of thing did you have in mind?

Digitally signed Release files for security updates with a strictly
monotonic version number should be published on the update server.
The DSA mentions the first version which includes the update.  So
people can invoke something like "apt-get security VERSION" and
receive security updates in a secure manner.  It's not much different
from "apt-get update", but it's more secure.  I planned something like
this for my constituency, but since it will be my ex-constituency soon
(at least for some time), I doubt that this will become a reality.

Extra care has to be taken so that updates can recommend a system
reboot if it is not possible to restart all potentially affected
processes reliably (e.g. after a shared library update).

Currently, two approaches exist.  "apt-get update && apt-get upgrade"
is convenient but insecure (susceptible to MITM attacks), and the
official way (verify DSA signature, download .debs with wget, compare
md5sums, install via dpkg) is tedious.