On Wednesday, May 14, 2003, at 10:02 PM, Matt Zimmerman wrote: <snip>
There is no shortage of opinions about what "we" should do, but there is unlikely to be any action until an "I" arises who actually does the work. This has been discussed over and over with the same result each time (i.e.,no action).
Well, this is why I was suggesting a simpler process. Since nobody seems to want to spend the effort organising security updates for testing, but lots of people seem unhappy with the idea that testing contains known security bugs, then the packages in question should be simply removed or replaced automatically.
Then people can bitch and moan about package X not being available and can do something to fix it (eg. finally start doing security updates for testing). Or they can just put up with it. But either way, their box wont be a honey pot.
I'm not advocating that 'we' should start doing security updates for testing without putting my hand up. If I thought it was worth it and I had the time, I would. But on both counts I don't, so I'm simply suggesting that the policy for testing should be altered so that testers don't have to worry about unknowingly having packages with known security problems installed. And to be honest, I really don't know how 'I' can go about organising that - or even which of 'removal' or 'replacement' would work - and hence why I thought some discussion was appropriate.
Regards, Chris
Attachment:
PGP.sig
Description: This is a digitally signed message part