Security Support and other reasoning (was: Re: Bits (Nybbles?) from the Vancouver release team meeting)

To: debian-devel@lists.debian.org
Subject: Security Support and other reasoning (was: Re: Bits (Nybbles?) from the Vancouver release team meeting)
From: David Schmitt <david@schmitt.edv-bus.at>
Date: Mon, 14 Mar 2005 18:27:04 +0100
Message-id: <[🔎] 200503141827.04954@zion.black.co.at>
In-reply-to: <[🔎] 20050314130633.GC10133@pegasos>
References: <20050314044505.GA5157@mauritius.dodds.net> <[🔎] 200503141302.34779@zion.black.co.at> <[🔎] 20050314130633.GC10133@pegasos>

On Monday 14 March 2005 14:06, Sven Luther wrote:
> > My answer is that I don't care enough for tow out of 15 boxes for the
> > hassle, I will update them to sarge, be grateful for the gracetime given
> > and - iff nobody steps up to do the necessary porting and security work -
> > donate them to Debian when etchs release leaves my current nameserver
> > without security updates.
> >
> > What would you say, if I asked you to provide security support for sparc
> > because _I_ need it for my nameservers?
>
> There was no comment from the security team about this new plan, we don't
> know for sure that this is the problem, we don't even know in detail what
> the problems are and how do they relate to the drastic solutions (in france
> we would say horse-remedies) proposed here.

The problem I - as a system administrator - see is that waiting a week for a 
security update might be not acceptable.

Of course there are many scenarios where there is no need for such tight 
security, but it seems only honest to make the difference obvious?

> > to put down hard, objective and verifyable rules where everyone can
> > decide whether an arch deserves use of central Debian resources like
> > mirrorspace on the central network.
>
> But why, and is it the good/best solution ? Why did they not consult with
> the arch porters before hand ? Why did they not put the announcement in a
> more diplomatic and inviting way ?

We are all only humans? We are all emotionally laden? 

I think putting down rules under which circumstances a arch is eligible for 
tier-1 is a good thing. This reminds me to the oft-cited "We hide no 
problems": for some, a week waiting until a security update is built _is_ a 
serious problem, for others shlib-skew and testing propagation are, others 
again need a working installer.

Taken together these seem to make the difference between tier-1 and 2.

Regards, David
-- 
- hallo... wie gehts heute?
- *hust* gut *rotz* *keuch*
- gott sei dank kommunizieren wir über ein septisches medium ;)
 -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15

Reply to:

Follow-Ups:
- Re: Security Support and other reasoning (was: Re: Bits (Nybbles?) from the Vancouver release team meeting)
  - From: Hamish Moffatt <hamish@debian.org>

References:
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: David Schmitt <david@schmitt.edv-bus.at>
- Re: Bits (Nybbles?) from the Vancouver release team meeting
  - From: Sven Luther <sven.luther@wanadoo.fr>

Prev by Date: Re: Bits (Nybbles?) from the Vancouver release team meeting
Next by Date: Mirror Network (was: Re: Bits (Nybbles?) from the Vancouver release team meeting)
Previous by thread: Re: Package flow scenarios
Next by thread: Re: Security Support and other reasoning (was: Re: Bits (Nybbles?) from the Vancouver release team meeting)
Index(es):
- Date
- Thread