[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security in testing

Please get this OFF of debian-private and onto -devel. Quote me anywhere.

On Tue, May 13, 2003 at 11:23:52AM +0300, Chris Leishman wrote:

Security should be important in the testing distribution.
[etc. etc. etc.]

If you want to see security updates for 'testing', then start preparing
security updates for 'testing'. It does not help to describe in detail what you hope that someone else will do. The best (and often only) way for you
to promote your agenda is to start doing the work.

	1) People don't run testing, and hence we lose a large portion of
	our testing process
	2) There is more incentive to move to another distribution entirely

"Market share" arguments don't tend to carry much weight in Debian.
Developers in general don't stand to lose anything at all if Debian has
fewer users.

- If a security vulnerability is found in a 'testing' package, then an
announcement is made (perhaps a testing-security-announce list?)
- The package it is immediately withdrawn from the testing distribution.
- If no fixed package is available, an empty 'placeholder' package is
installed into testing along with a debconf message to inform the user
that the package will be removed for security reasons.  The message
should also indicate what the problem is, and what actions are required
to get a new version into testing.  As an alternative, a downgraded
version could be provided....

If you do not accept the arguments against this, then start doing it, and
see whether it is worthwhile.

I think this process would provide the following advantages:

- It would remove the security risk for _all_ testing users

Perhaps, but there are far easier ways for users to eliminate this risk,
such as running stable, or upgrading problematic packages to the unstable

If unstable has a fix for the bug, then it is a waste of time to work on
testing because users can just upgrade. If unstable does not have a fix for the bug, then it is still a waste of time because unstable needs to be fixed
anyway, and that package will replace the one in testing once it has
survived in unstable.

- It would provide strong incentive for people to help out in fixing RC
bugs or patching packages in order to get the missing package back into

If the package is not fixed by release time, it will be removed anyway. It is the maintainer's responsibility to work toward having the most releasable
versions of his packages in 'testing'.

 - mdz

Please respect the privacy of this mailing list.

Archive: file://master.debian.org/~debian/archive/debian-private/

To UNSUBSCRIBE, use the web form at <http://db.debian.org/>.

Reply to: