Re: security in testing
On Wed, May 14, 2003 at 10:03:32AM -0500, Steve Langasek wrote:
> Figuring that a security upload would be preferable, I approached the
> security team and offered to prepare an upload. I was effectively told
> that this isn't done, and because it isn't done, most testing users don't
> have security.d.o in their sources.list, so don't bother.
This is an excellent point. Testing users do not expect updates from
securit.debian.org, so there is no reason that they need to be kept there.
Testing users do not have such an entry in sources.list, so any other
repository would be on equal footing. However, so far no one has taken any
action to coordinate this, nor has anyone prepared updates for testing that
would occupy such a repository.
> The only remaining option is to get a dependency chain that passes muster
> with the testing scripts. While this is a goal anyway, and while fixing
> the RC bugs in other packages is good for the release as a whole :), it's
> certainly the least efficient way to make a fixed package available and
> does nothing to help those testing users whose machines are being
> compromised today because they had no reason to believe they should add
> deb http://security.debian.org/ woody/updates main on a machine running
This is a related, more general issue, of how to minimize the blockage
introduced by package dependencies. I think this problem is much more
worthwhile to address than security updates targeted at 'testing'.