Re: Outrage at Debian dropping security for 2.1

To: Debian Developers ML <debian-devel@lists.debian.org>
Subject: Re: Outrage at Debian dropping security for 2.1
From: Anthony Towns <aj@azure.humbug.org.au>
Date: Sat, 30 Sep 2000 05:09:26 +1000
Message-id: <[🔎] 20000930050925.A368@azure.humbug.org.au>
Mail-followup-to: Debian Developers ML <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20000929173547.B3018@wyvern>; from adrian.bridgett@iname.com on Fri, Sep 29, 2000 at 05:35:47PM +0100
References: <[🔎] Pine.LNX.3.96.1000928115214.21046A-100000@localhost> <[🔎] 20000928233637.B26753@deadbeast.net> <[🔎] 20000929173547.B3018@wyvern>

On Fri, Sep 29, 2000 at 05:35:47PM +0100, Adrian Bridgett wrote:
> For important packages I'd say leave it _at least_ a year before stopping
> security fixes for important programs (such as *ftpd but _not_ quake).

Well, someone who cares is welcome to continue maintaining
security-updates for slink or hamm or bo, or whatever. I'd guess the
security team don't have the time or inclination to do this, and I'd
also guess that there's at best a low probability of them accepting new
and unproven members at the drop of a hat, so this would probably have
to be done somewhat outside debian at least for a while.

But I doubt it would be particularly difficult to arrange.

> Users should upgrade when they want to, not due to lack of security fixes.

Well, note that there's much less disincentive to upgrade with Debian
than with most products: it's largely automated, it's free, and we go
to a great deal of effort to support partial upgrades.

> I think one way to manage this is to get a more automated build system.  How
> about trying to work around to only having packages compiled on build boxes
> - maintainers can only upload diffs and tarballs?

The problem with this is that any extra automated tools won't be in slink:
they'll be in potato or woody, so you won't be able to make use of them
when recompiling slink packages. Backporting fixes to something a few
revisions old is also generally non-trivial and non-automatable. Adding new
versions of things is all very well until they start relying on new versions
of other stuff too.

> Then by uploading a patch, some automation might be possible and most
> certainly the amount of effort taken would be reduced - just upload the
> changes and watch all platforms get recompiled automatically....

And when the changes aren't clean? Or when the builders don't have the
right dependencies installed (remember, pre-woody doesn't have consistent
build-dependencies and pre-slink doesn't even have apt officially)?

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``We reject: kings, presidents, and voting.
                 We believe in: rough consensus and working code.''
                                      -- Dave Clark

Attachment: pgpRjy6lSprDy.pgp
Description: PGP signature

Reply to:

References:
- Re: Outrage at Debian dropping security for 2.1
  - From: Jonathan Walther <krooger@debian.org>
- Re: Outrage at Debian dropping security for 2.1
  - From: Branden Robinson <branden@debian.org>
- Re: Outrage at Debian dropping security for 2.1
  - From: Adrian Bridgett <adrian.bridgett@iname.com>

Prev by Date: Re: bugs by submitter
Next by Date: Re: xdm not pamified?
Previous by thread: Re: Outrage at Debian dropping security for 2.1
Next by thread: Re: Outrage at Debian dropping security for 2.1
Index(es):
- Date
- Thread