Re: Why back-porting patches to stable instead of releasing a new package.

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Why back-porting patches to stable instead of releasing a new package.
From: Andrew Pimlott <andrew@pimlott.net>
Date: Sat, 16 Aug 2003 13:23:50 -0400
Message-id: <[🔎] 20030816172350.GC13200@pimlott.net>
Mail-followup-to: Debian Developers <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20030816163800.GO24636@alcor.net>
References: <20030717151620.GA23268@debian.org> <20030721174232.GL13924@alcor.net> <20030722122252.GC24699@debian.org> <20030722223606.GB15133@alcor.net> <20030723081555.GA32048@debian.org> <20030723131001.GH15582@alcor.net> <[🔎] 20030816044514.GB6887@pimlott.net> <[🔎] 20030816144417.GK24636@alcor.net> <[🔎] 20030816145635.GA13200@pimlott.net> <[🔎] 20030816163800.GO24636@alcor.net>

On Sat, Aug 16, 2003 at 12:38:00PM -0400, Matt Zimmerman wrote:
> So if maintainers prepare thoughtful updates for stable, with clear and
> documented changes which fix real bugs and nothing more, then we should
> accept them into stable?
> 
> That is what proposed-updates is.  Most maintainers don't use it.

Probably because most users don't use it.  Seriously, maybe better
use of proposed-updates is all I'm asking for.  If there is a good
policy for proposed-updates (and your wording looks fine) and it is
publicized, then users can decide which to use, and we can learn by
experience which tends to work better for whom.

> For almost every bug we have fixed in woody, even if we had somehow pushed
> every upstream change into stable since it was released, we would still have
> been vulnerable.  Security researchers, of all kinds, can and do find new
> bugs all the time.

That's partly because security researchers generally look for new
bugs, and most security advisories come from the proactive work of
researchers (as opposed to reaction to exploits).

If I'm a bad guy, I think I'd first try the publicized holes.  If
the target machine applies his patches, the next thing I'd try is
"overlooked" bugs, the ones I'm talking about.  Only if that failed
would I try to find a new hole.

This is all very hypothetical, I grant, but my gut tells me it's a
problem.

> The urgency of a bug does not, in general, bear any direct relationship to
> its age.  Consider the local root vulnerabilities in the kernel which
> existed from 2.2 through 2.4.  If the bug is significant enough to warrant a
> fix in stable, please send a note to team@security.debian.org with the
> details.

Done.

Andrew

Reply to:

References:
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Andrew Pimlott <andrew@pimlott.net>
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Andrew Pimlott <andrew@pimlott.net>
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Searching Co-Maintainer and/or testers for linux-atm
Next by Date: Re: Bug#205705: ITP: jext a source code editor written in Java
Previous by thread: Re: Why back-porting patches to stable instead of releasing a new package.
Next by thread: Bug#205689: ITP: juman -- a Japanese Morphological Analysis System
Index(es):
- Date
- Thread