Re: security in testing

To: Gerfried Fuchs <alfie@ist.org>
Cc: debian-devel@lists.debian.org
Subject: Re: security in testing
From: Sam Hartman <hartmans@debian.org>
Date: Mon, 26 May 2003 17:08:04 -0400
Message-id: <[🔎] 877k8d2z7v.fsf@luminous.mit.edu>
In-reply-to: <[🔎] 20030526132449.GB10392@asgard.pte.at> (Gerfried Fuchs's message of "Mon, 26 May 2003 15:24:49 +0200")
References: <20030514202017$39a5@gated-at.bofh.it> <20030515073013$0a5e@gated-at.bofh.it> <20030516000010$122f@gated-at.bofh.it> <20030516062008$2422@gated-at.bofh.it> <20030516103007$79ed@gated-at.bofh.it> <20030516104008$2a8e@gated-at.bofh.it> <20030516111004$082d@gated-at.bofh.it> <20030516114004$6083@gated-at.bofh.it> <20030516131008$203d@gated-at.bofh.it> <20030516140018$0b8d@gated-at.bofh.it> <[🔎] 20030526132449.GB10392@asgard.pte.at>

>>>>> "Gerfried" == Gerfried Fuchs <alfie@ist.org> writes:

    Gerfried> * Sven Luther <sven.luther@wanadoo.fr> [2003-05-16
    Gerfried> 13:33]:
    >> Such a package should be as close to possible to the version
    >> actually in testing, and not depend on packages and/or versions
    >> that are not yet in testing.

    Gerfried>  So, you request more or less that every developer
    Gerfried> should backport fixes themself from the usual new
    Gerfried> upstream version that fixes the problem (and mostly
    Gerfried> always have new features too) to the version in testing,
    Gerfried> which might even be older than just one upstream
    Gerfried> release, due to usual holdups in the transition. It
    Gerfried> sounds like you like to have every developer be able to
    Gerfried> do what the security team does. That requires much skill
    Gerfried> -- much more than most of us possess!

I'd actually hope that you would be capable of doing this sort of back
porting for any package you maintain.  You should certainly be doing
this for packages in stable, giving the security team tested patches,
rather than having them do the job of maintaining your packages for
you.

Sure, that's an ideal.  And perhaps you don't have these skills yet
and are still working on gaining significant skill with your packages
and with the languages they are written in.  If so, then you should
look for co-maintainers who do have the necessary skill sets to
provide security updates for your packages.  Even if you completely
ignore testing security, anything you can do to reduce the work load
on the security team will mean that Debian is less behind on
publishing security updates and will better help us serve our users.

--Sam

Reply to:

References:
- Re: security in testing
  - From: Gerfried Fuchs <alfie@ist.org>

Prev by Date: Re: Maintaining kernel source in sarge
Next by Date: Re: X Strike Force SVN commit: rev 69 - branches/4.3.0/sid/debian
Previous by thread: Re: security in testing
Next by thread: Re: security in testing
Index(es):
- Date
- Thread