Re: Why back-porting patches to stable instead of releasing a new package.
On Sat, Aug 16, 2003 at 12:48:26PM +0100, Mark Brown wrote:
> That's talking about something different - it's saying that by keeping
> more current with upstream releases we would be able to avoid security
> problems which only occur in older versions. That's another way of
> putting the frequently made criticism that we really ought to do stable
> releases more often.
Agreed. Releasing more often means that our software is more current, which
means that there are more opportunities for bugs to be fixed. Of course,
this has nothing to do with the security update process.
> It also assumes that security bugs are only fixed and never introduced by
> new versions - there have also been times when Debian has been unaffected
> by security problems because stable contained a version of the software
> predating the code containing the vulnerability.
This is actually quite common. When a major piece of new functionality is
introduced, it sometimes takes a number of months for even simple
vulnerabilities to be shaken out. As one of the few advantages of releasing
so seldom, we often find out about this kind of thing long before it makes
it into one of our releases.
Of course, there are more than enough undiscovered bugs in the software that
we already ship, and in most cases they still exist in unstable as well.
The case where a bug is discovered and fixed but not announced is relatively
rare. The "bug exists only in unstable" and "bug exists in both stable and
unstable" cases are more common.
--
- mdz
Reply to: