[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security in testing

On Fri, May 16, 2003 at 09:30:46AM -0400, Matt Zimmerman wrote:
> > Yes, and funnily enough, uploads to -p-u have to be processed by the
> > release manager, either Joey for stable, or me for testing. How's the
> > phrase go? "You suggest distributing the workload, and your concrete
> > suggestions are exactly the opposite of that."
> "So add people."  See where this is going?
> With t-p-u, any maintainer can upload their package, review the build logs,
> fix any problems, re-upload, etc.  Why would you want the security team to
> do this instead?

One of the paragraphs you didn't quote answered that question:

> > Again, the security architecture is there for a reason: it's so
> > we have a quick, effective way to get security updates out and
> > so we can prepare security updates before they've been publically
> > announced. testing-proposed-updates simply does not manage either of
> > those things, just as stable-proposed-updates doesn't.

security.debian.org is setup for security updates -- it's specifically
designed to get them out as quickly as possible, to announce them,
and to keep the secret if they've not been widely announced.

I don't care if *you* are the person that's doing it, or if it's some
complete newbie to the security team; what I do care about is not wasting
or unnecessarily duplicating the infrastructure we've specifically
designed for this job.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Dear Anthony Towns: [...] Congratulations -- 
        you are now certified as a Red Hat Certified Engineer!''

Attachment: pgpGNEUcDhYjK.pgp
Description: PGP signature

Reply to: