[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian 3.0r1

Brian May wrote:
> However, there is security software that is non-experimental in nature
> that is already in woody.
> eg. amavis, scannerdaemon and clamav.
> If this packages are not kept up-to-date on user's systems, then the
> result could be that a new virus gets into (or perhaps even worse: out
> of) a sites computer network due to a minor bug in one of the programs
> that prevents in from checking for viruses properly (and yes, I have
> already discovered and worked around several on these types of bugs;
> although I don't know if woody was affected... Not to mention the virus
> database in woody is static and already obsolete, but in unstable you
> get the option to automatically download the latest version).

I may be willing to accept updated databases for these tools/packages.
I guess this would still fit into out scheme of having a stable stable

If these packages, however, require new versions of the programs to be
installed into the archive, I'm still on the 'no new code' trip and
will probably reject them if uploaded (assuming the software supports
rejections at that time).

I do know that having security software stable and static is
problematic.  However, Debian is not up for random updates to random
packages in the stable distribution.  If this is required, a separate
archive for these tools need to be set up and maintained.  It may be
possible to use security.debian.org for this, but I doubt.

> Then it is OK to have packages in woody that both the maintainer and
> upstream authors recommend you should not use. eg. because the version
> in woody is old, obsolete, and contain numerous potential security
> fixes?

In such a case I'd rather have the packages removed from woody.  If
the packages are not ready for a stable release that lasts for a year
or longer, they are not stable at all and should not be included in
the first place.

> Even though this software is still experimental and the change won't
> affect any *real* users?

In such a case I wonder why they were included in woody in the first
place.  Instead of an update, I'd rather remove the packages entirely
if they don't classify as stable enough for a stable Debian release.



GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: