Re: Freeze Please?
On Sat, Feb 08, 2003 at 07:34:50PM +0100, Marcelo E. Magallon wrote:
> Just to make sure I understand what you are saying... what to we say to
> people using testing regarding vulnerabilities in that distribution?
> "That's just a temporary situation, wait until the fixes flow in from
> unstable?" Or are you just saying that security uploads for testing are
> required, just not yet?
What we currently tell people is that they must keep track of security
updates on their own, and pull the updates from unstable when necessary.
There is no guarantee that these updates will even be available in unstable
in a timely fashion, or that testing will at any time be free of known
During a freeze, careful uploads (of the same sort made for DSAs) can be
made to testing to fix very specific bugs without introducing any other
changes, in order to bring testing up to date with security fixes as part of
the preparation for a release. I don't think that it makes sense to upload
security fixes to testing during any other time, since they should get the
fixes from unstable instead.
The fact that many fixes are not currently flowing in from unstable is a
temporary situation due to bugs in some critical packages. While this is
not a unique situation, I think it is still an exception, and that we should
try not to make things more difficult in the normal case in order to make
provisions for this kind of exceptional situation.