Re: security in testing
[Removed debian-private from Cc-List, there is *no* need to duplicate
the thread there]
On Fri, May 16, 2003 at 07:58:44AM +0200, Sven Luther wrote:
> 2) a way for people for which stable is too outdated to run more
> advanced software, without suffering from the breakages of unstable.
> By saying this we clearly imply that it is better to run testing
> than unstable.
Sure, but we _still_ tell people that care for security *to run
stable*. Noone was ever told that unstable is secure and should be used
for critical services....
> Sure, this was before we had time to test testing,
> and before we became aware of the big stalls implied, and the fact
> that security wise testing is worse than unstable.
And still, unstable _is_ bad according to security. We do NOT encourage
people to run unstable for secure machines, so why do you think that
telling people to rather use testing than unstable for not-secure things
is a bad idea? Just take the long time that the kde2 package in unstable
were still vulnerable because their maintainers thought that kde3 will
make it soon into unstable (or whatever the real reason was -- the
reason doesn't really matter, so don't pin me down on that).
> This second goal is today a total failure,
I don't think so. Security was never part of that second goal.
> I still think that the second goal can be achieved. Probably the fact to
> use testing-proposed-update for security and RC bugs would be enough, i
> don't know, only experience will tell.
Some people stepping forward to do actual work on that part would be
needed, than it might be enough. People repeating the same phrases and
accuses over and over again are not enough, though.