[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeze Please?

On Fri, Feb 07, 2003 at 07:14:05PM +0100, Marcelo E. Magallon wrote:

> On Fri, Feb 07, 2003 at 10:11:08AM -0500, Matt Zimmerman wrote:
>  > Please don't, unless these bugs will make a significant difference in
>  > allowing the unstable packages to progress into testing.
>  I don't follow you.  Is it your concern that making this information
>  readly available (via the BTS) will make users of testing more
>  suceptible to attacks or something like that?

No, I'm saying that cluttering the BTS with hundreds of critical and grave
bugs that the maintainer can do nothing about is not a useful thing to do.

>  I don't really think it's hard to get this information.  You just need to
>  have a look at the DSAs, a look at packages.debian.org and perhaps at the
>  changelogs of the packages in testing and you are done.

How to collect this information is not an issue, though in reality it is
often not as simple as this.

>  We seem to have the same intention: prevent accidentally releasing
>  something with security bugs present.  My reasoning is that if the
>  information is filed in the BTS it will be easier to fix the problems.
>  The maintainer sees that the version in testing has a security problem,
>  the version in unstable doesn't, he makes a security upload to testing,
>  it gets autobuilded and installed.  If the version in unstable eventually
>  makes it to testing, the maintainer can close the bug.  If it doesn't
>  testing gets released with a fixed version.

And who is going to manually review and process all of these uploads to
testing, and clean up the mess when maintainers (for example) just re-upload
the current unstable package?

Having maintainers make uploads to testing-security at all seems like a
recipe for disaster.

>  > I already have this information for all DSAs and many other bugs which
>  > did not affect stable, but do affect testing or unstable.
>  Good for you.  Why isn't it available on a visible place?

Because it isn't yet.  If you are volunteering to take responsibility for
publishing this information responsibly (this is different from spamming the
BTS), then by all means proceed.  Otherwise, stop bitching about it, as it
does not help me at all.

 - mdz

Reply to: