[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security.debian.org mirrors?

On Thu, Sep 02, 1999 at 10:18:14PM -0700, Guy Maor wrote:

> date?  Every time you want to put a package on security.debian.org,
> instead install it to stable and make a point-release.

Ok.  We are getting somewhere here.  Please excuse me for being stubborn. 
Exactly what does the maintainer making the security fix do?  He uploads the
package to master with distribution set to stable, and _also_ uploads it to
security.debian.org (and tells the security team about it, I presume).  Is
that right?  If so, dinstall picks the new release withing the next 24
hours and it gets installed in proposed-updates.  Is this right so far?  So,
I can have a mirrored copy of the updated package within 36 hours (because
the way our mirror is set up) ... that's fine with me.

Now, my problem is some users don't want everything in proposed-updates. 
Could we _please_ have security-updates on master archive?  Just a bunch of
symlinks to proposed-updates and/or stable; this directory would contain
everything strictly security-related that has changed wrt the first stable
release (say, 2.1.0); if the picture I depicted above is right, the problem
with proposed-updates is that the release manager hasn't approved everything
on it.  I trust the maintainers to be extremely conservative about what gets
uploaed to proposed-updates, but I trust the release manager even more.

For example, I just looked in proposed updates, and I found this entry in
one of the packages:

   * /usr/share/doc

See my point now?  There are 15 .changes files there and only 5 explicitly
list security changes.  The other 10 could have been called release
critical, but they don't seem to be security related.

> I was under the impression that security.debian.org was a permament
> place for security updates so that URLs would always be correct.

That was the impression I was getting, too.


Reply to: