Re: libc6_2.0.7r-3 considered harmful

[Philip Hands <phil@hands.com>]

> While I agree, the current management of the archives makes this quite
> difficult, as there isn't sufficient archive space to keep every old
> version of every package, which is the only way to be "absolutely" safe.

We don't have to.  Keeping the signed .changes file would be enough in most 
cases.  -2 is burned onto loads of CD's and as such will be available for 
ages.  Anyone with a copy and good Internet bandwidth could have had a copy in 
Incoming on master with in a hour or two of the bug being noticed.

The current situation (-3 is _still_ in the archive, ready for some poor sod 
to download and die), is unacceptable IMHO, and we should try to ensure that 
we don't get into this situation again.

Even doing something like damaging the -3 files, so they are uninstallable
would be preferable to leaving them where they are.  Since -2 is available, we 
should have taken advantage of that fact, and used it.

This is taking too long, and for that reason we need a policy that 
automatically kicks in when a corrosive package hits the archive in future, so 
that we get to limit the damage.

How many people have been bitten by this since the bug was found ?  We should 
have been able to prevent this damage in some way --- even if it means having 
no libc6 available for a couple of days, this seems preferable to breaking 
people's systems when we could avoid it.

Cheers, Phil.


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org