Re: security in testing

To: debian-private@lists.debian.org
Subject: Re: security in testing
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 13 May 2003 10:20:56 -0400
Message-id: <[🔎] 1440613A-85D7-11D7-84D2-003065F97418@debian.org>

Please get this OFF of debian-private and onto -devel. Quote meanywhere.


On Tue, May 13, 2003 at 11:23:52AM +0300, Chris Leishman wrote:

Security should be important in the testing distribution.
[etc. etc. etc.]


If you want to see security updates for 'testing', then start preparing

security updates for 'testing'. It does not help to describe in detailwhatyou hope that someone else will do. The best (and often only) way foryou

to promote your agenda is to start doing the work.

	1) People don't run testing, and hence we lose a large portion of
	our testing process
	2) There is more incentive to move to another distribution entirely


"Market share" arguments don't tend to carry much weight in Debian.
Developers in general don't stand to lose anything at all if Debian has
fewer users.

- If a security vulnerability is found in a 'testing' package, then an
announcement is made (perhaps a testing-security-announce list?)

- The package it is immediately withdrawn from the testingdistribution.

- If no fixed package is available, an empty 'placeholder' package is
installed into testing along with a debconf message to inform the user
that the package will be removed for security reasons.  The message
should also indicate what the problem is, and what actions are required
to get a new version into testing.  As an alternative, a downgraded
version could be provided....

If you do not accept the arguments against this, then start doing it,and

see whether it is worthwhile.

I think this process would provide the following advantages:

- It would remove the security risk for _all_ testing users


Perhaps, but there are far easier ways for users to eliminate this risk,

such as running stable, or upgrading problematic packages to theunstable

versions.

If unstable has a fix for the bug, then it is a waste of time to work on

testing because users can just upgrade. If unstable does not have afix forthe bug, then it is still a waste of time because unstable needs to befixed

anyway, and that package will replace the one in testing once it has
survived in unstable.

- It would provide strong incentive for people to help out in fixing RC
bugs or patching packages in order to get the missing package back into
testing.

If the package is not fixed by release time, it will be removed anyway.Itis the maintainer's responsibility to work toward having the mostreleasable

versions of his packages in 'testing'.

--
 - mdz


--
Please respect the privacy of this mailing list.

Archive: file://master.debian.org/~debian/archive/debian-private/

To UNSUBSCRIBE, use the web form at <http://db.debian.org/>.

Reply to:

Prev by Date: Re: Do not touch l10n files (was Re: DDTP issue)
Next by Date: security in testing
Previous by thread: [Ann] debian-bts-control.el
Next by thread: security in testing
Index(es):
- Date
- Thread