Re: security in testing
Please get this OFF of debian-private and onto -devel. Quote me
On Tue, May 13, 2003 at 11:23:52AM +0300, Chris Leishman wrote:
Security should be important in the testing distribution.
[etc. etc. etc.]
If you want to see security updates for 'testing', then start preparing
security updates for 'testing'. It does not help to describe in detail
you hope that someone else will do. The best (and often only) way for
to promote your agenda is to start doing the work.
1) People don't run testing, and hence we lose a large portion of
our testing process
2) There is more incentive to move to another distribution entirely
"Market share" arguments don't tend to carry much weight in Debian.
Developers in general don't stand to lose anything at all if Debian has
- If a security vulnerability is found in a 'testing' package, then an
announcement is made (perhaps a testing-security-announce list?)
- The package it is immediately withdrawn from the testing
- If no fixed package is available, an empty 'placeholder' package is
installed into testing along with a debconf message to inform the user
that the package will be removed for security reasons. The message
should also indicate what the problem is, and what actions are required
to get a new version into testing. As an alternative, a downgraded
version could be provided....
If you do not accept the arguments against this, then start doing it,
see whether it is worthwhile.
I think this process would provide the following advantages:
- It would remove the security risk for _all_ testing users
Perhaps, but there are far easier ways for users to eliminate this risk,
such as running stable, or upgrading problematic packages to the
If unstable has a fix for the bug, then it is a waste of time to work on
testing because users can just upgrade. If unstable does not have a
the bug, then it is still a waste of time because unstable needs to be
anyway, and that package will replace the one in testing once it has
survived in unstable.
- It would provide strong incentive for people to help out in fixing RC
bugs or patching packages in order to get the missing package back into
If the package is not fixed by release time, it will be removed anyway.
is the maintainer's responsibility to work toward having the most
versions of his packages in 'testing'.
Please respect the privacy of this mailing list.
To UNSUBSCRIBE, use the web form at <http://db.debian.org/>.