Re: security in testing

To: debian-devel@lists.debian.org
Subject: Re: security in testing
From: Nick Phillips <nwp@nz.lemon-computing.com>
Date: Sun, 18 May 2003 02:08:28 +1200
Message-id: <[🔎] 20030517140828.GB20429@hoiho.nz.lemon-computing.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030514172712.GN13945@alcor.net>
References: <20030513142055.GD25426@alcor.net> <[🔎] B21CC0CD-85DA-11D7-84D2-003065F97418@debian.org> <[🔎] 20030514082225.GA28123@azure.humbug.org.au> <[🔎] 20030514150332.GB7083@tennyson.netexpress.net> <[🔎] 20030514172712.GN13945@alcor.net>

On Wed, May 14, 2003 at 01:27:12PM -0400, Matt Zimmerman wrote:
> On Wed, May 14, 2003 at 10:03:32AM -0500, Steve Langasek wrote:
> 
> > Figuring that a security upload would be preferable, I approached the
> > security team and offered to prepare an upload.  I was effectively told
> > that this isn't done, and because it isn't done, most testing users don't
> > have security.d.o in their sources.list, so don't bother.
> 
> This is an excellent point.

Really? I think it's a pisspoor point. I think that maintainers who care
enough to do the necessary work should be encouraged to do it. The argument
above is circular, chicken-and-egg style.

If people like Steve, who maintain important packages like Samba, bother
to create the necessary packages, then:

a) It's a good start -- once people see these things starting to appear,
more maintainers will bother, and users will start to put the relevant
lines in their sources.list;
b) They damn well should be made available.

> Testing users do not have such an entry in sources.list, so any other
> repository would be on equal footing.  However, so far no one has taken any
> action to coordinate this, nor has anyone prepared updates for testing that
> would occupy such a repository.

If this other repository had access to autobuilding facilities, then yes,
it might be on an equal footing. I believe that the work was put in to
enable automated security builds for woody (as aj keeps telling us).
Why not use it? If it's a case of manpower, what's needed?

As others have argued, I don't believe it's necessary that testing's security
effort be as good as stable's. If it's not, it's important to make sure that
users are aware of the level of security they're getting (so perhaps a
different name for the repository would be advisable?).

In any case, I think that "security updates when anyone can be bothered"
(which would be likely to be whenever the maintainer cared lots, or when
the issue and the package were important enough to motivate another
developer to contribute) would be an improvement on the status quo.

> This is a related, more general issue, of how to minimize the blockage
> introduced by package dependencies.  I think this problem is much more
> worthwhile to address than security updates targeted at 'testing'.

There is no denying that that would be a useful issue to overcome, but
I'm not sure I agree that it's more important than (at least some potential)
security updates to testing, let alone much more.

Cheers,

Nick
-- 
Nick Phillips -- nwp@lemon-computing.com
Avoid reality at all costs.

Reply to:

Follow-Ups:
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Re: security in testing
  - From: Chris Leishman <masklin@debian.org>
- Re: security in testing
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: security in testing
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: security in testing
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: unsubscribe
Next by Date: Re: Do not touch l10n files (was Re: DDTP issue)
Previous by thread: Re: security in testing
Next by thread: Re: security in testing
Index(es):
- Date
- Thread