Re: Proposal for removal of mICQ package
Steve Kemp <skx@debian.org> writes:
> As for security updates - what kind of thing did you have in mind?
Digitally signed Release files for security updates with a strictly
monotonic version number should be published on the update server.
The DSA mentions the first version which includes the update. So
people can invoke something like "apt-get security VERSION" and
receive security updates in a secure manner. It's not much different
from "apt-get update", but it's more secure. I planned something like
this for my constituency, but since it will be my ex-constituency soon
(at least for some time), I doubt that this will become a reality.
Extra care has to be taken so that updates can recommend a system
reboot if it is not possible to restart all potentially affected
processes reliably (e.g. after a shared library update).
Currently, two approaches exist. "apt-get update && apt-get upgrade"
is convenient but insecure (susceptible to MITM attacks), and the
official way (verify DSA signature, download .debs with wget, compare
md5sums, install via dpkg) is tedious.
Reply to: