[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why back-porting patches to stable instead of releasing a new package.

On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> - Security advisories and the associated packages should fix security
>   vulnerabilities and nothing else.

Have you perhaps seen

    http://lwn.net/Articles/44117/

?  I think it's a fairly convincing critique of this policy.  I'm
sure there are many security holes in woody that are fixed in the
latest stable upstream release.[1]  Debian's policy assures that all
well-publicized bugs get patched, but that doesn't mean that others
don't slip through the cracks.  A capable cracker targeting a Debian
stable system has a simple algorithm: browse upstream changelogs for
closed holes that weren't publicized.

Andrew

[1] Actually, I know of one about which I am communicating with the
maintainer.
Reply to: