[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security in testing

On Thu, May 15, 2003 at 03:19:02PM +1000, Anthony Towns wrote:

> On Wed, May 14, 2003 at 11:59:49PM -0400, Matt Zimmerman wrote:
> > Do you honestly think would be a good idea to use testing-security this way
> > on a continual basis?  
> 
> Yes, I do. I think we should release DSA's for security problems in
> testing, too.

There's that "we" again.  Why not unstable, too?  Round it out to a nice,
even four distributions to simultaneously support, and 40 or so
distribution*architectures.  As if it doesn't take enough time already.

> > Such an endeavor would not seem to require any of the facilities which
> > make foo-security different from foo{,-proposed-updates}.
> 
> The same applies to stable: the key differences are immediacy,
> announcements and control, all of which are equally valuable for testing
> as stable.

No, it is not at all the same as stable.  The problem that is being
discussed in this thread is the presence of known, publicized security holes
in testing.

> In any event, testing-proposed-updates exists and works at
> present, the only thing missing is people reliably uploading to it, and
> evaluating whether uploads work well enough to be included in testing
> or not. All the technical issues have already been addressed.

In that case, I invite any maintainer with a security fix for their package
in 'testing' to upload it to testing for testing-proposed-updates.  Problem
solved.  Are you the one who will be responsible for reviewing the packages?

> Except that there can be no testing users while we don't provide security
> updates. Using testing on a multi-user machine, or one that provides any
> network services on a machine connected to the network is not something
> anyone can recommend in good conscience, and that rules out almost
> everything Debian's actually good at.

This does not trouble me in the least.

> > Sidestepping the process to provide this kind of "timely" security update
> > for "unreleased" software, on the other hand, doesn't seem particularly
> > valuable to me.
> 
> What, precisely, is unreleased about it?

  release
  
     <programming> (Or "released version", "baseline") A version of
     a piece of software which has been made public (as opposed to
     a version that is in development, or otherwise unreleased).
  
     A release is either a {major release}, a {revision}, or a
     {bugfix}.
  
     Pre-release versions may be called {alpha test}, or {beta
     test} versions.
  
     See {change management}.

"released", as in "no longer under development", as in "not changing on a
DAILY BASIS" (as testing does), and so actually supportable.  testing is a
moving target.

-- 
 - mdz
Reply to: