Re: security in testing
On Wed, May 14, 2003 at 10:19:08AM -0400, Matt Zimmerman wrote:
> On Wed, May 14, 2003 at 10:07:16AM +0300, Chris Leishman wrote:
> >
> > On Tuesday, May 13, 2003, at 05:20 PM, Matt Zimmerman wrote:
> > >If you want to see security updates for 'testing', then start preparing
> > >security updates for 'testing'. It does not help to describe in detail
> > >what you hope that someone else will do. The best (and often only) way
> > >for you to promote your agenda is to start doing the work.
> >
> > Actually - I didn't suggest this. I suggested there should be some
> > consensus on what to do about security problems in testing - my main
> > suggestion is that packages should be simply removed and the user notified
> > of what actions they can do to get it back (such as upgrading to an
> > unstable version, downgrading to a stable version, or fixing the bugs).
>
> I think that users would react rather negatively to having packages (ones
> that they use) effectively disappear from their system, but the only way to
> be certain is to experiment with the process. You can easily simulate this
> by providing dummy packages in a private repository.
>
> > >> 1) People don't run testing, and hence we lose a large portion of
> > >> our testing process
> > [...]
> > The important point was the first one. The 2nd one was just another
> > effect of not doing anything about the issue which some people might
> > care about.
>
> We didn't even have testing until quite recently, and it is likely that
> unstable users still provide the majority of our testing. IMHO, it is only
> particularly valuable for users to run testing when a release is
> approaching (at which point security updates and removals take place en
> masse).
Yes, but this is not something that is clearly said. Many people run
testing without even being aware that there may be security issues, or
more precisely, that the security issues are orders of magnitude worse
than even what is in sid.
Friendly,
Sven Luther
Reply to: