Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities

To: security@debian.org, Debian-security-tracker <debian-security-tracker@lists.debian.org>
Subject: Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Wed, 22 Dec 2010 16:06:36 -0500
Message-id: <[🔎] AANLkTimscmQL9ztZrffans_5YjOb4o4KXpVHz2W_LKS2@mail.gmail.com>
In-reply-to: <20101221173434.GA3250@galadriel.inutil.org>
References: <20101221173434.GA3250@galadriel.inutil.org>

On Tue, Dec 21, 2010 at 12:34 PM, Moritz Muehlenhoff wrote:
> Upgrade instructions
> - --------------------
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:

For future advisories, I wonder if this might be better said as "Make
sure that a 'deb http://security.debian.org/ stable/updates main' line
is included in your /etc/apt/sources.list and then run the following
commands to perform the update'

> apt-get update
>        will update the internal database
> apt-get upgrade
>        will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.

Isn't this a repeat of the first sentence in the upgrade instructions?

> - ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main

I think this would be better stated in plain English as suggested above.

> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main

Since dpkg-ftp is removed from sid/squeeze (and I don't know if it
checks signatures), I think this line should be removed.

> Mailing list: debian-security-announce@lists.debian.org

Is this statement useful?  The user can look at the mail header to see
where it came from.

> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

This may be better to state in plain English.  For example, "For more
info on this package, type 'apt-cache show' or visit
http://packages.debian.org/<pkg>.  For information on the changes
involved type 'cat /usr/share/doc/<pkg>/changelog.Debian.gz' or
install the apt-listchanges package."

I wonder if there should be a warning somewhere in this footer about
using tools (such as dpkg) that don't check signatures?  Or maybe
explicitly state that apt, aptitude, synaptic, software center, update
manager, etc are the only recommended tools.

Anyway, just some thoughts on new changes.

Best wishes,
Mike

Reply to:

Prev by Date: Re: script to add DSA's to tracker disabled
Next by Date: Re: script to add DSA's to tracker disabled
Previous by thread: Re: script to add DSA's to tracker disabled
Index(es):
- Date
- Thread