On Tue, Sep 14, 2004 at 02:10:17PM +0100, Martin Michlmayr wrote: > Maybe we should just relax the stable update policy for such packages, > and others which would benefit from regular updates (e.g. drivers). I think we do need to come up with a mechanism to allow functionality updates between stable releases. What are we saying to our users by not doing this? Are we saying that they're better off not using something like an IDS? Can we really not offer our users the benefit of using packages such as ClamAV, SpamAssassin, or Snort within the Debian system? People have suggested additional sections in the archive for packages like this... So how 'bout this idea: A new section, possibly entitled "volatile". Packages in this section declare that they may change, but only between point releases of the OS. Dependencies of such packages also belong in volatile. Before a package in volatile can be updated to a new upstream version, maintainers of packages that depend on this package must sign off that their package is compatible with the new version, or they must provide a new package to maintain compatibility. The security team only needs to support the most recent version of the package in "volatile", since in general they only support packages in the latest point release of stable anyway. Users who don't install packages from volatile don't have to worry about running vulnerable packages due to security holes or outdated databases or whatever, since they don't have these packages installed to begin with. Comments? I just came up with this off the top of my head, making it up as I went along, so it's very possible that I've overlooked something. noah
Attachment:
pgpXw0idp19qa.pgp
Description: PGP signature