On Tue, Jun 08, 2004 at 09:35:56AM -0400, Dan M. MacNeil wrote: > I stutter: > > > It is my subjective experience that the security team is actually > > > pretty good about updating testing. For example the postgresql update > > > applied to both testing & stable. > Steve Langaek (post modern programer) writes: > > This would be very subjective indeed, because the > > security team does nothing to directly address > > security holes in testing. > If I were a diligent person, I'd look at this a bit more carefully (does > apt-get log???) , but here are a few random data points to muddy the > waters. > My various /etc/apt/sources.list files contain: > deb http://security.debian.org/ sarge/updates main contrib non-free The Packages list for main under sarge/updates lists a total of two source packages, and the versions of both provided from sarge/updates are older than the versions provided via woody/updates. > ...and when I get a notice from the security list: > http://lists.debian.org/debian-security-announce/ > the mentioned package is (always?) updated w/ a apt-get update/upgrade > It doesn't matter (much) to me if the package maintainer updates the > package or the security team. (However, I do seem to seem > "security.debian.org" flashing across the screen when I am updating > packages) The only thing the above sources.list entry will give you is periodic checking of the timestamp on the Packages file. As to whether the package maintainer or the security team updates the package, the issue is precisely that getting updated packages into testing in order to fix security bugs in as timely a manner as they are fixed in stable is often more effort than package maintainers are willing to invest. <shrug> -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature