Re: security in testing
On Thu, May 15, 2003 at 01:20:08AM +0300, Chris Leishman wrote:
> On Thursday, May 15, 2003, at 12:42 AM, Matt Zimmerman wrote:
> >The idea being discussed, as I understand it, is to have fewer security
> >vulnerabilities in 'testing'. The only sane way to accomplish this is to
> >fix the bugs. There has been a disproportionate amount of strategizing
> >around this simple idea.
> The problem, as I see it, is that it's not always a case of just fixing
> the security bugs. The version of samba in unstable has the security
> problems fixed, but there's all sorts of other issues holding it up from
> going into testing.
> You could hold to the argument, and claim that those bugs also need to be
> fixed in order to remove the security vulnerability from testing. I don't
> think this is appropriate, however, since it means the vulnerability may
> be present for far longer than it needs to be.
I am not suggesting that folks wishing to provide security updates for
testing must go through unstable, only that they fix the bugs rather than
removing packages and such. There is no reason why these fixes, based on
the versions of packages in testing, should go into unstable if the bugs are
already fixed there. They should go into a security update repository, just
as is done for stable, but not on security.debian.org.
> Alternatively you could argue that someone needs to prepare special
> security updates for testing. This may be ideal - a fixed package could
> be put into testing and all would be well. But as you've pointed out,
> nobody seems to be volunteering to organise this - so it probably wont
> start happening any time soon. And there's probably a strong argument
> that it's overkill and that effort would be better spent on fixing all the
> weird bugs that are stopping an update moving from unstable to testing in
> the first place.
That is indeed what I have suggested to those who want security updates for
I don't think that unstable would suffer too much from such an approach;
those who are able and willing to prepare security updates for testing are
not necessarily willing or able to fix unrelated RC bugs which prevent the
progression of packages into testing.
Personally, I think it would not be time well-spent, but I see no reason to
stand in the way of those who would volunteer their time to do it. I am
sure there are some who would find it a useful service.