Re: I OBJECT IN STRONGEST POSSIBLE TERMS

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Debian developers list <debian-devel@lists.debian.org>
Subject: Re: I OBJECT IN STRONGEST POSSIBLE TERMS
From: Rob Browning <osiris@cs.utexas.edu>
Date: 29 Nov 1996 12:53:58 -0600
Message-id: <874ti8enqx.fsf@raven.ots.utexas.edu>
In-reply-to: Ian Jackson's message of Fri, 29 Nov 96 14:38 GMT
References: <m0vTU5h-0004O6C@chiark.greenend.org.uk>

OK, everyone take a deep breath.  We have a relatively important issue
to decide here, but I don't think that either ultimatums or losing
extremely important developers (like Ian) is going to solve the
problem.

The question is, do we wait a little longer to release Debian without
the X bug, or do we release it now so we don't slip our date even
further.

I think that either one is probably acceptable if we approach it in
the right manner, Although I agree with Ian that we should hold off a
little longer and release 1.2 with the bug fixed.  My guess is that it
won't take long to find out that the new X packages are fine.  I've
installed 3.2 on several machines here with no problems other than the
dependency issues, and we already have several viable solutions for
that.

While I think that the security issue should take precedence to the
date slippage issue, I don't think it's the end of the world either
way.  The fact is we've been providing software with this bug for
months.  By releasing a new version, we're not making anything any
worse.

If we decide to release with the bug, we should draft a "press
release" that is highly visible on the FTP sites, and is posted to the
standard announce locations that goes something like this (I'm not
good at these things, so bear with me):

"We became aware of a serious security bug in X just before this
release, but did not have time to test the new packages that provide
the fix without causing a significant delay.  This bug primarily
affects multi-user public machines, (description of bug?).  We chose
not to delay since in our estimation, there were a large number of
people who could benefit from the new release, and would be unaffected
by the bug.  However, you are stongly urged to upgrade your X packages
as follows ...  This is especially important if you are administering
a public machine... We have already incorporated the fix into the
upcoming 1.3 release, and may fold it back in to the current version
before that."

If we decide not to release with the bug, and hold off until we can
test X 3.2 with frozen, then we should make something like the
following announcement to the standard locations:

"We have become aware of a serious security problem with the version
of X that we had included in the 1.2 release.  As we are committed to
providing you with the highest quality software, we have decided to
postpone this release until the new version of X (which fixes the
bug), can be adequately tested with the rest of the software in the
distribution.  We will be announcing a formal beta-test period
shortly, and the official release will occur once we are satisfied
with the results.  We apologize for the delay, and hope you understand
our concerns.  Thank you."

Either way, informing the users is the key.  If you do something
reasonable, and explain yourself, most people won't have a problem.
It's when you don't keep them informed about their risks (in the case
of releasing with the bug) or your reasons (in the case of delaying to
fix the bug) that you can get into serious trouble.

Let's come to some sort of consensus.  At worst, Bruce has fiat, and
he can decide :<

--
Rob


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

References:
- I OBJECT IN STRONGEST POSSIBLE TERMS
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: rex boot floppies arn't complete
Next by Date: X 3.2
Previous by thread: Problems with XFree86 3.2 from bo?
Next by thread: Re: I OBJECT IN STRONGEST POSSIBLE TERMS
Index(es):
- Date
- Thread