Re: Why back-porting patches to stable instead of releasing a new package.
On Sat, Aug 16, 2003 at 12:45:14AM -0400, Andrew Pimlott wrote:
> On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> > - Security advisories and the associated packages should fix security
> > vulnerabilities and nothing else.
> Have you perhaps seen
> ? I think it's a fairly convincing critique of this policy. I'm
> sure there are many security holes in woody that are fixed in the
> latest stable upstream release. Debian's policy assures that all
That's talking about something different - it's saying that by keeping
more current with upstream releases we would be able to avoid security
problems which only occur in older versions. That's another way of
putting the frequently made criticism that we really ought to do stable
releases more often.
It also assumes that security bugs are only fixed and never introduced
by new versions - there have also been times when Debian has been
unaffected by security problems because stable contained a version of
the software predating the code containing the vulnerability.
"You grabbed my hand and we fell into it, like a daydream - or a fever."