[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why back-porting patches to stable instead of releasing a new package.

On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> This is already in the security team FAQ, and in the developers reference in
> section " Preparing packages to address security issues", but
> apparently it requires further explanation, because this issue comes up from
> time to time.  I will expand the developer's reference more when I get a
> chance.  The main points are:

That would be cool.

> - Security advisories and the associated packages should fix security
>   vulnerabilities and nothing else.  It is irresponsible to "sneak in"
>   additional changes or try to use a security vulnerability as an excuse to
>   bypass the normal process for updating a package in stable to fix other
>   bugs.
> - If your package is so buggy in stable that it is useless, you should have
>   made an upload to proposed-updates a long time ago.  Don't wait for a
>   security advisory and try to use that to get random bug fixes in.  They
>   will not be accepted as part of a security update.

Things are clearer now. You're right: i should have done a new package by
time, but you probably ignore that, due to lack of time, i've filed an RFA on
phpgroupware which resulted in many mails and no real effort (apart a new
version from Tilo Levante few time ago). In this span of time package was
subject to many bugfix releases, which i could not care about. Now that I'm
back working on it i've to deal with a security issue. What am i supposed to
do? Build a new version for the proposed-update procedure?

Luca - De Whiskey's - De Vitis              | Elegant or ugly code as well
aliases: Luca ^De [A-Z][A-Za-z\-]*[iy]'\?s$ | as fine or rude sentences have
Luca, a wannabe ``Good guy''.               | something in common: they
local LANG="it_IT@euro"                     | don't depend on the language.

Reply to: