[Back story: this thread started because there is still a vulnerability in the version of Samba in testing, which has been fixed in both stable and unstable. Collateral bugs prevent Samba from propagating from unstable to testing any time soon.] On Wed, May 14, 2003 at 06:22:26PM +1000, Anthony Towns wrote: > On Wed, May 14, 2003 at 10:07:16AM +0300, Chris Leishman wrote: > > Actually - I didn't suggest this. I suggested there should be some > > consensus on what to do about security problems in testing - my main > > suggestion is that packages should be simply removed and the user > > notified of what actions they can do to get it back (such as upgrading > > to an unstable version, downgrading to a stable version, or fixing the > > bugs). > This isn't possible in general; when mysql has a security problem > you can't just tell people to (a) not use it, or (b) just run the > unstable/stable version anyway, in spite of whatever reasons they based > their decision to use testing on in the first place. > We already know the right way of dealing with security bugs; we do it for > our stable releases. If you care about security and testing, all you have > to do is the same thing that's being done there. It's really that simple. I'm not sure what you mean by "the same thing", but as I see it, there are three possible ways to get a fixed package into testing: an upload to security.debian.org, an upload to testing-proposed-updates that's accepted into the main archive, or via the normal unstable->testing propagation. Figuring that a security upload would be preferable, I approached the security team and offered to prepare an upload. I was effectively told that this isn't done, and because it isn't done, most testing users don't have security.d.o in their sources.list, so don't bother. Since the security.debian.org site is under the administrative control of the security team, it doesn't seem like this is going to go anywhere without their acquiescence. That leaves t-p-u, or the normal unstable->testing route. Well, as release manager, I would expect you to be the one to approve an upload to t-p-u. If the "right" way to handle this is via security.d.o, presumably you think an upload to t-p-u is the wrong way? The only remaining option is to get a dependency chain that passes muster with the testing scripts. While this is a goal anyway, and while fixing the RC bugs in other packages is good for the release as a whole :), it's certainly the least efficient way to make a fixed package available and does nothing to help those testing users whose machines are being compromised today because they had no reason to believe they should add deb http://security.debian.org/ woody/updates main on a machine running testing. So, I guess I'll be filing with ftp.d.o to have the vulnerable Samba package removed from testing. -- Steve Langasek postmodern programmer
Attachment:
pgpeKoGGzlKPR.pgp
Description: PGP signature