Re: Updating scanners and filters in Debian stable (3.1)
Colin Watson <email@example.com> writes:
> On Tue, Oct 05, 2004 at 12:08:42PM -0700, Thomas Bushnell BSG wrote:
> > Stephen Gran <firstname.lastname@example.org> writes:
> > > I am under the impression that 'normal procedures' does not involve
> > > updating the application to catch new threats. If I'm wrong, then there
> > > is no need for this entire thread.
> > Talk to the security team. Talk to the security team. Talk to the
> > security team.
> Thomas, that's enough. Other people have legitimate disagreements with
> your preferred approach; rude use of repeated assertion is not going to
> automatically win you the argument.
> FWIW, I think that every upload to the security archive should be
> accompanied by a security advisory. I wouldn't be at all surprised if
> the security team felt that uploads that don't merit security advisories
> were an inappropriate use of their archive.
Yes, that's a perfectly reasonable attitude on their part. It is
tantamount to "these don't require updates" or some such.
I'm not saying we must do it at all. I'm saying that security is the
responsibility of the security team, and not debian-devel. Having not
heard from the security team what they think, and this apparent
reluctance to actually ask them and carry on the discussion with thim,
means that it will probably never get addressed.
The over-the-top "so then I'm going to file bugs to have the packages
just removed" is tantamount to "my way or the highway". By contrast,
I think the whole question is the responsibility of the security team,
and I trust them to do what is appropriate.