On Mon, Aug 25, 2003 at 10:19:55AM +0200, Sander Smeenk wrote: > Quoting Javier Fernández-Sanguino Peña (jfs@computer.org): > (...) > It's annoying now, to see what bugs really are bugs, and what are bugs You mean "are bugs related to the latest version" instead of "really are bugs". > filed against stable. Some submitters didn't even specify > versionnumbers. Why don't you tag the bugs as such? (i.e. pertaining to 'stable') > > > > Before you object to this rather 'rude' bughandling, please keep in mind > > > that version 1.8.4 of snort > > Then you should work towards fixing them in stable or having ftp-masters > > agreeing with including a new (backported) version at proposed-updates. > > We've been over this in debian-security before. I fixed the 1.8.4 > package once, it got rejected, and I tried to have 2.0.x installed in > Stable, but ofcourse, you can't put a new upstream version in a released > stable Debian. Why did it get rejected? I'm surprised about that. As of putting a new upstream version in a released stable Debian it did happen in some ocasion (openssh anyone?) > That's why i'm doing backports on p.d.o, and that's why i want the bugs > closed if I can't fix them. But you have to agree with me that that's completely useless. It does not help users at all and it's even against their best interest (since they cannot see that the package is buggy!) The only thing that it helps is your 'karma' wrt to Debian-bug count :-) > > > > It's for the users best interrest that I tell them to use the new version. > > It is for the best interest of the users that you provide a proper > > snort version in proposed-updates. > > THEN LET ME! Do it, and maybe discuss here why it got rejected. > ffs! I know the way i'm going now isn't the correct way, but the tight > rules about updating stable prevent me from doing it any better. Staying > with 1.8.4 in Stable is useless, it is out dated, which is bad for a > security tool. Going with 2.0.1 is impossible, because it might (and > probably will...) introduce new bugs to stable. So open a bug in ftp.debian.org, like it was done with Nessus, and have the security team or the Release Manager agree with you in including a new version instead of backporting. Those tight rules are not that tight, remember OpenSSH. > > > This is a similar situation to #183524. We have to determine a way to > > remove packages completely out of stable (due to unfixable security bugs, > > for example) in a way that do not leave users exposed to these and their > > bugs. > > A pseudo-package. But then what. > Have people not run snort while using stable? > That is, as a matter of fact, what it has been proposing in some of the bug reports. You said so yourself in bug 173254 which, BTW, should be re-openened. And maybe re-assigned to the the release manager or the security team? Or tagged security, or whatever. Bugs should be handled, not closed. > I'm sorry if i sound harsh, i don't mean to. That's because of the rest > of the replies in this thread. don't take it personal okay ;) I won't. Regards Javi PS: Please don't CC me, I'm in the list.
Attachment:
pgpSFvqS7ebuP.pgp
Description: PGP signature