Re: conflicts-based solution (was Re: security in testing)

To: debian-devel@lists.debian.org
Subject: Re: conflicts-based solution (was Re: security in testing)
From: Sven Luther <sven.luther@wanadoo.fr>
Date: Thu, 15 May 2003 14:46:28 +0200
Message-id: <[🔎] 20030515124628.GA793@iliana>
In-reply-to: <[🔎] 20030515122635.GA29242@azure.humbug.org.au>
References: <[🔎] 1F31E8A0-864E-11D7-84D2-003065F97418@leishman.org> <[🔎] 20030514213601.GS13945@alcor.net> <[🔎] 20030514231215.GB7786@dragon.kitenet.net> <[🔎] 20030515031319.GC19367@azure.humbug.org.au> <[🔎] 20030515060948.GA17233@iliana> <[🔎] 20030515110306.GA27890@azure.humbug.org.au> <[🔎] 20030515091359.GA19168@iliana> <[🔎] 20030515122635.GA29242@azure.humbug.org.au>

On Thu, May 15, 2003 at 10:26:35PM +1000, Anthony Towns wrote:
> On Thu, May 15, 2003 at 11:13:59AM +0200, Sven Luther wrote:
> > On Thu, May 15, 2003 at 09:03:06PM +1000, Anthony Towns wrote:
> > > On Thu, May 15, 2003 at 08:09:48AM +0200, Sven Luther wrote:
> > > > On Thu, May 15, 2003 at 01:13:19PM +1000, Anthony Towns wrote:
> > > > > On Wed, May 14, 2003 at 07:12:15PM -0400, Joey Hess wrote:
> > > > > > Take the harden package, or create something similar: a package that
> > > > > > conflicts with all versions of packages with known security holes.
> > > > > Why not just /fix/ the holes? Is uploading a package with a well known
> > > > > patch _really_ that hard?
> > > > The fact is, we don't have a security architecture, or even autobuilders
> > > > for testing, 
> > > Uh, actually, we have both these things. We've had them for almost a year
> > > now, although they haven't been used.
> > So, the infrastructure is there, but not turned on ?
> 
> No, it's sitting there, waiting for someone to use it. After a year's
> neglect it might need some metaphorical oil on its hinges and some
> dusting, but it really is there. I'm not just saying this for rhetorical
> value.

Ok, i had the impression this was not the case, but then, maybe i
misremembered or something such.

So, the right and easy solution for the samba security bug is to upload
the source package to testing-proposed-update, and it will get rebuild
on all testing supported architectures in time.

What happens then, will it stay apart, or get transitioned into testing
when all arches have rebuilt ?

I suppose a testing pbuilder or something such would be needed for the
initial upload and not pure source, since we don't have a arch: all
autobuilder.

What about version numbers ? Should the same version number as the
unstable package be used, or only the minor debian version number be
bumped, with maybe an additional testing or security part ?

Also, should we use this only for security fixes, or also for other RC
bugs or even non RC bugs ? Where is the limit and if there is one, who
will enforce it ?

Friendly,

Sven Luther

Reply to:

Follow-Ups:
- Re: conflicts-based solution (was Re: security in testing)
  - From: "Matthias Urlichs" <smurf@smurf.noris.de>

References:
- Re: security in testing
  - From: Chris Leishman <chris@leishman.org>
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>
- conflicts-based solution (was Re: security in testing)
  - From: Joey Hess <joeyh@debian.org>
- Re: conflicts-based solution (was Re: security in testing)
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: conflicts-based solution (was Re: security in testing)
  - From: Sven Luther <sven.luther@wanadoo.fr>
- Re: conflicts-based solution (was Re: security in testing)
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: conflicts-based solution (was Re: security in testing)
  - From: Sven Luther <sven.luther@wanadoo.fr>
- Re: conflicts-based solution (was Re: security in testing)
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: mailcap next step
Next by Date: Re: possible problem for debian was [NTP considered basic] misc@openbsd.org
Previous by thread: Re: conflicts-based solution (was Re: security in testing)
Next by thread: Re: conflicts-based solution (was Re: security in testing)
Index(es):
- Date
- Thread