[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security in testing

On Fri, May 16, 2003 at 12:38:39PM -0400, Stephen Frost wrote:
> * Michael Banck (mbanck@debian.org) wrote:
> > On Fri, May 16, 2003 at 10:06:57AM -0400, Stephen Frost wrote:
> > > People are only going to bitch if you make it look like an
> > > official part of Debian when it isn't, and rightly so.
> > 
> > Why the hell do you think this should not be an official part of debian?
> 
> It may be eventually if it works out.  It doesn't need to be to begin
> with.  The work certainly does not require the result being an official
> part of Debian.  You seem to fail to understand that.

You seem to fail to understand that people don't pull security updates
from Joe-Random-NM-or-not's server. Of course, one can setup a
repository with testing-security-updates. Whether it would (or should)
actually be used is another matter.

I'm all for starting, implementing and testing *new* projects outside of
the current infrastructue before they get transferred to .debian.org.
But the infrastructure and the procedures *are* there, we just need to
do it.

> > > Debian provides you with all the tools you need. 
> > 
> > Debian does not provide you with credibility, though. I doubt a lot
> 
> You don't need to be part of Debian to do the work and to make it
> available.

See above.

> > > In the time you've spent on this thread you could have done it,
> > > easily.
> > 
> > If providing reliable testing security could be provided in the time
> > I've spend on this thread, it have would already be done by the
> > current security-team, I'm sure.
> 
> The comment was that you could have created the repository, which is
> all that being a DD would do for you (the Debian repository is already
> created).  The work of providing reliable security updates for testing
> would not have been done just because you were made a DD.

Huh? How could a DD create a repository somebody else cannot? The only
place that would be is people.debian.org/~<login>, right? That'll be
quite a bad place for security updates because I think one still cannot
pin different repositories at p.d.o to different priorities. Correct me
if I'm wrong.
	
> You took the comment out of context and then replied to it as that.
 
I was not aware that you might actually argue about such a minor
implementation detail. Sure, I could have setup a repository while I was
writing those lines, but what does an empty repository serve to the
problem? You seem to say yourself that it actually takes time to provide
security updates. 

Time, and the trust of the other debian developers, the users and
ideally of the security-team. There are a couple of DDs whose
security-for-testing-repository would be put instantly into my
sources.list (if I'd actually ran testing). There are a couple of others
I'd rather install Windows98 at home like my parents urge me to do than
do that.

Michael

-- 
<joshk> asuffield: screw m68k :)
<joshk> j/k
<elmo> joshk: screw your application :)
<elmo> j/k
<elmo> hoho, see how funny those kind of jokes are?
Reply to: