[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security in testing

On Fri, May 16, 2003 at 04:09:28PM -0400, Stephen Frost wrote:
> * Michael Banck (mbanck@debian.org) wrote:
> > I wouldn't feel like setting up a repository for testing that only
> > clueless people-who-put-every-apt-line-they-see-in-their-sources-list[0]
> > would use.
> 
> Others would see what you had done and you could post patches to the BTS
> with the fixes in them, etc.

You seem to be missing something:

I'm not the least bit interested in running a testing-security
repository outside of Debian. Furthermore, I've neither the skill, nor the
time to contribute to something like this integrated to Debian. I've
merely pointed out that such a repository, maintained by a NM outside of
Debian, would not be *anywhere* near an acceptable solution, because of
the reasons I put forth in this thread.

You're saying: "You want security for testing? Do it yourself!"
I'm saying: "Sure, people could do it for themselves, but how would that
benefit Debian as a whole?"

> > 1. See above
> > 2. I don't have the time
> > 3. I'm not running testing
> 
> Ah, so, you don't have the time.  That would be the reason testing
> hasn't got security updates- not enough skilled people with the time to
> actually *do* it.  

Exactly.

> People with the time and skills, DD or not, could provide updates and
> eventually I think these people and updates would be incorporated into
> Debian in a move where Debian would then start officially supporting
> testing.  

Like I said, if people like dark, Kamion, vorlon, etc would go forth and
started a testing-security initiative, I'd be thrilled by this. If
<you-know-who> or somebody unknown to the project would come along,
people would say: "So what?" and go away.

> I don't believe Debian should ever do it piecemeal or partially.  If
> it's going to be done then it needs to be done completely and we must
> have enough people to do it before we announce that we will.
 
Exactly.

> > I must be totally missing something. Is one getting the s3kr1t
> > "create-a-repository-key" when you are becoming a DD? Where would these
> > repositories be located? Nobody told me so!
> > 
> To create a respository you just need a couple debs and website and the
> tools to create the Packages files, ie: dpkg-scanpackages.

Aha. And what exactly buys you being a DD in this regard? That's the
implementation detail I was talking about earlier. You said
repositories would be easier setup if one was a DD, if I'm not
completely mistaken?

Michael

-- 
<azathoth> why can't alyssa milano live next door to me, be lonely and
        need the satisfaction and fullfillment that only a 20 year old
        computer programmer can provide...                                                       
* azathoth shakes his fist at god and goes back to his debugging
Reply to: