Re: security in testing

To: debian-devel@lists.debian.org
Subject: Re: security in testing
From: Matt Zimmerman <mdz@debian.org>
Date: Wed, 14 May 2003 23:59:49 -0400
Message-id: <[🔎] 20030515035949.GG20698@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030515031035.GB19367@azure.humbug.org.au>
References: <20030513142055.GD25426@alcor.net> <[🔎] B21CC0CD-85DA-11D7-84D2-003065F97418@debian.org> <[🔎] 20030514082225.GA28123@azure.humbug.org.au> <[🔎] 20030514150332.GB7083@tennyson.netexpress.net> <[🔎] 20030514172712.GN13945@alcor.net> <[🔎] 20030515031035.GB19367@azure.humbug.org.au>

On Thu, May 15, 2003 at 01:10:35PM +1000, Anthony Towns wrote:

> On Wed, May 14, 2003 at 01:27:12PM -0400, Matt Zimmerman wrote:
> > This is an excellent point.  Testing users do not expect updates from
> > securit.debian.org, so there is no reason that they need to be kept
> > there.
> 
> Not putting them there, means not taking advantage of the buildds that
> automatically build uploads to the security archive, the nice, memorable,
> domain name, or any of the mirrors of debian-security. That's not "no
> reason".

There are no mirrors of security.debian.org, and have not been for as long
as I have been aware.  See the security team FAQ.

I don't consider the domain name to be a serious justification.

Do you honestly think would be a good idea to use testing-security this way
on a continual basis?  Such an endeavor would not seem to require any of the
facilities which make foo-security different from foo{,-proposed-updates}.
If you think this makes sense, why not run a testing-proposed-updates
instead?  Or even allow uploads directly to testing at the maintainer's
discretion?

> > This is a related, more general issue, of how to minimize the blockage
> > introduced by package dependencies.  I think this problem is much more
> > worthwhile to address than security updates targeted at 'testing'.
> 
> You're wrong: blockages can never be cleared quickly enough to make for
> timely security fixes. For security fixes, "timely" is "same day"; for
> testing, "timely" is "a couple of weeks".

(setting aside the question of whether you can declare my value judgement to
be "wrong"...)

Finding ways to minimize these blockages would benefit all packages'
progress into testing, security fixes included, and thereby greatly benefit
'testing' users, whatever their motivation might be.

Sidestepping the process to provide this kind of "timely" security update
for "unreleased" software, on the other hand, doesn't seem particularly
valuable to me.  If someone wants to provide this service, of course, that
is their prerogative.  However, this does not seem to have anything to do
with security.debian.org, the security team, or the foo-security
infrastructure.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: security in testing
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: security in testing
  - From: LapTop006 <laptop006@chriskaine.com.au>

References:
- Re: security in testing
  - From: Chris Leishman <masklin@debian.org>
- Re: security in testing
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: security in testing
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>
- Re: security in testing
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: security in testing
Next by Date: Re: Returning from "vacation". (MIA?)
Previous by thread: Re: security in testing
Next by thread: Re: security in testing
Index(es):
- Date
- Thread