[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian 3.0r1



On Wed, Jul 31, 2002 at 11:21:19AM +1000, Brian May wrote:
> However, this discussion is seems pointless, it might be better just to
> fork the Debian archive and create another archive for security updates
> in it that do not meet Debians strict criteria for security updates...

So how about we stop trying to use the same words for two completely
different things, and see if there _is_ some reasonable way for us to
handle this.

Security updates are fixes to problems that allow undue access to
your system. That's not what you're talking about.

You're talking about updates to security-related software: virus checkers,
scriptkiddie checkers, and the like. (Actually, to digress, are there
actually packages of this nature that work well?) The properties of that
sort of software is probably:

	* when it gets out of date, it becomes substantially less usefull:
	  a transparent web filter that's a few weeks old sucks when a new
	  CodeRed type thing comes out; likewise an email virus checker
	  that doesn't cope with the latest variant in .jpeg viruses

	* "updates" often involve significant rewrites of code,
	  rather than just changing a datafile, which could cause security
	  problems of its own, and doesn't match the "backports only"
	  policy for stable

Since stable revisions only come every couple of months, it's possible
that they're just not frequent enough for security products, so you might
need to setup some other archive anyway. But even so, you probably want
to ask "why deliver something five months out of date, when you could
have something only two months out of date?"

The backports only policy is trickier. It'd bad to violate that because
most people just aren't infallible enough to get things right first time
every time, and it's rare for packages to get anywhere near as much
testing before they hit stable as after they do so. The kernel's an
exception; there may be reason to make some security-related packages
exceptions too. It'd probably be more reasonable to do so if any
non-backport updates for stable of amavis etc had already been used by
lots of people, which is probably a reason to setup some other archive
for that, too.

Or not.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Attachment: pgpJ3LOfVsNTZ.pgp
Description: PGP signature


Reply to: