Re: security in testing
On Thu, May 15, 2003 at 07:30:36PM -0400, Michael Stone wrote:
> On Thu, May 15, 2003 at 07:07:16AM +0200, Sven Luther wrote:
> >But we don't advertize this, so it is natural that people make the
> >mistake and use testing instead of unstable.
> People say this all the time. Then other people go around telling
> everyone to run testing. I'm not sure how to fix misplaced advocacy.
Please, have a look at our announement when first testing was created.
Read well what _We_, as debian, said and then tell me that again.
The reality is that _We_ advocated testing as two things :
1) a release helping tool, with all arches in sync and so on. This has
served us well, altough there is often a big lag, and the loose
release schedule is a strain on developers who have no good idea of
how to best schedule their own packaging effort. But all in all, it
2) a way for people for which stable is too outdated to run more
advanced software, without suffering from the breakages of unstable.
By saying this we clearly imply that it is better to run testing
than unstable. Sure, this was before we had time to test testing,
and before we became aware of the big stalls implied, and the fact
that security wise testing is worse than unstable. But this, only
the insiders, and even then, not everyone, is well informed about.
This second goal is today a total failure, it must not need be so,
but it is today, and we are putting many people at risk. And i think
even that this is against the "We wont hide problems" of our social
contract because there is a small step between not being loud enough
about a fact and hiding it.
I still think that the second goal can be achieved. Probably the fact to
use testing-proposed-update for security and RC bugs would be enough, i
don't know, only experience will tell. That said, again, almost nobody
(of the developers) is aware of the fact that we can (and should) use
testing-proposed-update for that.
All in all, this long thread is only a (mis)-communication problem, as
often is, and we would loose less time if we stopped hiding our head in
the sand and stop alos to use arguments like 'but you should know' or
'this is not a problem, just ...'.