[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating scanners and filters in Debian stable (3.1)



This one time, at band camp, Thomas Bushnell BSG said:
> Colin Watson <cjwatson@debian.org> writes:
> > FWIW, I think that every upload to the security archive should be
> > accompanied by a security advisory. I wouldn't be at all surprised if
> > the security team felt that uploads that don't merit security advisories
> > were an inappropriate use of their archive.
> 
> Yes, that's a perfectly reasonable attitude on their part.  It is
> tantamount to "these don't require updates" or some such.
> 
> I'm not saying we must do it at all.  I'm saying that security is the
> responsibility of the security team, and not debian-devel.  Having not
> heard from the security team what they think, and this apparent
> reluctance to actually ask them and carry on the discussion with thim,
> means that it will probably never get addressed.

I thought that 'issues related to the development of debian' was on topic
for this list.  It is not at all clear to me that this is a security
issue, because outdated A/V software usually does not place the server
it runs on at risk for compromise.  I am trying to discuss if and how
these kinds of packages should be distributed, and I rather like the
idea of volatile.debian.org.  Since we do not at present have a
volatile.debian.org, this seems like the best place to discuss it.

> The over-the-top "so then I'm going to file bugs to have the packages
> just removed" is tantamount to "my way or the highway".  By contrast,
> I think the whole question is the responsibility of the security team,
> and I trust them to do what is appropriate.

I think you misunderstood me.  I was not intending to stomp my feet and
have a tantrum.  I honestly do not believe outdated A/V software is
useful in the modern internet, and so I don't see why we should ship it
if it can't be updated in band.

Take care,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgp917Ho7i6le.pgp
Description: PGP signature


Reply to: