On Wednesday, May 14, 2003, at 06:03 PM, Steve Langasek wrote: <snip>
So, I guess I'll be filing with ftp.d.o to have the vulnerable Samba package removed from testing.
And I guess this was the point I was trying to suggest. I feel that if there is no other solution ready (eg. there is no fixed package available) it should be policy to either remove packages with security problems from testing or in some way warn users (eg. via a replacement containing a very loud warning).
My suggestion doesn't mean that someone can't put in the effort and actually do security updates that make it into testing - it just helps protect users if this doesn't happen (or takes a long time).
Personally I don't think updates via s.d.o is the right way since testing isn't a frozen distribution - fixed packages should be able to go straight into there. But that opinion is entirely separate from my removal suggestion.
Regards, Chris
Attachment:
PGP.sig
Description: Binary data
Attachment:
PGP.sig
Description: This is a digitally signed message part