Re: Why back-porting patches to stable instead of releasing a new package.
- To: Debian Developers <debian-devel@lists.debian.org>
- Subject: Re: Why back-porting patches to stable instead of releasing a new package.
- From: Andrew Pimlott <andrew@pimlott.net>
- Date: Sat, 16 Aug 2003 00:45:14 -0400
- Message-id: <[🔎] 20030816044514.GB6887@pimlott.net>
- Mail-followup-to: Debian Developers <debian-devel@lists.debian.org>
- In-reply-to: <20030723131001.GH15582@alcor.net>
- References: <20030715092532.GA8393@achos.com> <20030715125624.GL11400@alcor.net> <20030717151620.GA23268@debian.org> <20030721174232.GL13924@alcor.net> <20030722122252.GC24699@debian.org> <20030722223606.GB15133@alcor.net> <20030723081555.GA32048@debian.org> <20030723131001.GH15582@alcor.net>
On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> - Security advisories and the associated packages should fix security
> vulnerabilities and nothing else.
Have you perhaps seen
http://lwn.net/Articles/44117/
? I think it's a fairly convincing critique of this policy. I'm
sure there are many security holes in woody that are fixed in the
latest stable upstream release.[1] Debian's policy assures that all
well-publicized bugs get patched, but that doesn't mean that others
don't slip through the cracks. A capable cracker targeting a Debian
stable system has a simple algorithm: browse upstream changelogs for
closed holes that weren't publicized.
Andrew
[1] Actually, I know of one about which I am communicating with the
maintainer.
Reply to: