Re: conflicts-based solution (was Re: security in testing)
On Wed, May 14, 2003 at 07:12:15PM -0400, Joey Hess wrote:
> So here's an alternative that would actually work:
>
> Take the harden package, or create something similar: a package that
> conflicts with all versions of packages with known security holes. Note
> that harden currently does not track all security holes; it has been
> released only twice in the past 6 months and the last update for security
> conflicts seems to have been in August.
>
> Upload each new release of this package (should be arch: all) to
> unstable with urgency=critical. It will enter testing in two days each
> time. You might eventually arrange something special with AJ that gets
> it into testing with no delay at all, but that's more likely to hapen
> once the thing is already in place, and users are already using it, and
> we know it actually helps the state of testing and security.
>
> So -- promote the hell out of it. Post to debian-announce, get it added
> to the description of testing on the web site, post an article to debian
> planet, and to debian-user. Make sure users know about it and install it
> when using testing.
>
> Doesn't seem that hard..
A very interesting idea, and would require perhaps the minimum possible
effort on the part of the promoter. No patches, nor backports, nor separate
repository; only a bit of bookkeeping.
If no one will step forward to do even this, then surely this service must
not be considered particularly valuable.
--
- mdz
Reply to: