Re: security in testing

To: debian-devel@lists.debian.org
Subject: Re: security in testing
From: Anthony Towns <aj@azure.humbug.org.au>
Date: Thu, 15 May 2003 15:19:02 +1000
Message-id: <[🔎] 20030515051902.GA21962@azure.humbug.org.au>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030515035949.GG20698@alcor.net>
References: <20030513142055.GD25426@alcor.net> <[🔎] B21CC0CD-85DA-11D7-84D2-003065F97418@debian.org> <[🔎] 20030514082225.GA28123@azure.humbug.org.au> <[🔎] 20030514150332.GB7083@tennyson.netexpress.net> <[🔎] 20030514172712.GN13945@alcor.net> <[🔎] 20030515031035.GB19367@azure.humbug.org.au> <[🔎] 20030515035949.GG20698@alcor.net>

On Wed, May 14, 2003 at 11:59:49PM -0400, Matt Zimmerman wrote:
> There are no mirrors of security.debian.org, and have not been for as long
> as I have been aware.  See the security team FAQ.

deb http://mirror.pacific.net.au/debian-security/ stable/updates main

> Do you honestly think would be a good idea to use testing-security this way
> on a continual basis?  

Yes, I do. I think we should release DSA's for security problems in
testing, too.

> Such an endeavor would not seem to require any of the
> facilities which make foo-security different from foo{,-proposed-updates}.

The same applies to stable: the key differences are immediacy,
announcements and control, all of which are equally valuable for testing
as stable. In any event, testing-proposed-updates exists and works at
present, the only thing missing is people reliably uploading to it, and
evaluating whether uploads work well enough to be included in testing
or not. All the technical issues have already been addressed.

> > > This is a related, more general issue, of how to minimize the blockage
> > > introduced by package dependencies.  I think this problem is much more
> > > worthwhile to address than security updates targeted at 'testing'.
> > You're wrong: blockages can never be cleared quickly enough to make for
> > timely security fixes. For security fixes, "timely" is "same day"; for
> > testing, "timely" is "a couple of weeks".
> Finding ways to minimize these blockages would benefit all packages'
> progress into testing, security fixes included, and thereby greatly benefit
> 'testing' users, whatever their motivation might be.

Except that there can be no testing users while we don't provide security
updates. Using testing on a multi-user machine, or one that provides any
network services on a machine connected to the network is not something
anyone can recommend in good conscience, and that rules out almost
everything Debian's actually good at.

> Sidestepping the process to provide this kind of "timely" security update
> for "unreleased" software, on the other hand, doesn't seem particularly
> valuable to me.

What, precisely, is unreleased about it?

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Dear Anthony Towns: [...] Congratulations -- 
        you are now certified as a Red Hat Certified Engineer!''

Attachment: pgp_Fj0k0D8X1.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: security in testing
  - From: Sven Luther <sven.luther@wanadoo.fr>
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Re: security in testing
  - From: Chris Leishman <masklin@debian.org>
- Re: security in testing
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: security in testing
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>
- Re: security in testing
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: security in testing
Next by Date: Re: security in testing
Previous by thread: Re: security in testing
Next by thread: Re: security in testing
Index(es):
- Date
- Thread