[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal: security-patch team for hamm

On Fri, Jul 02, 1999 at 02:58:14AM -0400, Adam Di Carlo wrote:
> Debian mail acct <debian@skyron.harvard.edu> writes:
> > I've a proto-proposal to make: offering security updates for some or all
> > earlier releases in the current "top-level" tree instead of just the current
> > "stable" (i.e. for hamm as well as slink right now).
> [...]
> > So here's the idea: get a smallish set of volunteers who are still running
> > earlier releases (i.e. hamm for now) and who are willing to test exploits &
> > patches/fixes against it, and who will in turn roll the new .deb's when a hole
> > pops up.  Continue to do this until 3.0 comes out, and then drop support for
> > all the 2.x's except the most recent one, and drop that when 3.1 is stable.
> > Repeat for 3.x etc.
> > 
> > Less-ambitious idea: always support the release prior to stable in this way.
> > I really do think that otherwise, many potential debian users might be scared
> > off by how closely it's assumed they'll track the current release tree.
> > (Heck, Linus put out 2.0.37 almost 5 months after 2.2.0 first came out.)
> That was probably Alan Cox, not Linus.  A better example is how Sun is
> still delivering Y2K fixes etc for SunOS 4.x.
> The problem with these proposals is that (a) we don't even really
> maintain stable all that well; trying to have the Debian group also
> maintain hamm/bo/rex (even just security fixes) doesn't seem all
> feasible just from experience; (b) the debian official archive, on
> master.debian.org, doesn't even carry anything but stable/unstable
> (and sometimes frozen), and the infrastructure (debian/changelog,
> dupload, dinstall) doesn't support any distributions other than
> stable/unstable/frozen.

I agree it is fairly difficult to start maintaining older versions
of debian, on the other hand, if security or stability issues come
up for older versions, I think we should try to fix them.
If the debian archive does not support infrastructure for this, we
can decide on some simple mechanism for this, like a dedicated
web-site where packages can be downloaded.

We are a group of 500 developers. There must be some people out there
who are interested in setting this up.



 Joop Stakenborg PA4TU, ex-PA3ABA <pa3aba@debian.org>
 Linux Hamradio Applications and Utilities Homepage

Reply to: