On Mon, Mar 14, 2005 at 06:53:14PM -0600, John Goerzen wrote: > On Tue, Mar 15, 2005 at 11:46:51AM +1100, Matthew Palmer wrote: > > On Mon, Mar 14, 2005 at 04:27:50PM +0100, Matthias Urlichs wrote: > > > If I had to think of a rationale for it, the only one I could think of > > > would be "the architecture needs to be fast enough not to block security > > > updates". > > > > > > However, I consider an update whose $ARCH binaries are released a week > > > later not to be a problem. > > > > I think a lot of users would consider it a problem. Imagine, would you be > > happy with a highly visible public announcement of every vulnerability > > against your servers, a week before you got the fix? > > If I'm running m68k, I probably wouldn't care so much, and besides -- > Debian security announcements are rarely the first highly visible > public announcement of a vulnerability. But a DSA *is* the first highly visible announcement that *Debian* is affected. A general "this is a problem" announcement might make the crackers cackle with glee, but a DSA with a "m68k, mips, and arm updates will be forthcoming in a week or so" is a signal to brush off that list of Debian boxes running the relevant arches you had been quietly collecting for a couple of months. It may not be a plausible scenario, considering that the vast majority of attacks are very dumb automated "scan the bejesus out of everything" type things, but it just feels to me like we'd be doing a little too much of the bad guys' work for them. - Matt
Attachment:
signature.asc
Description: Digital signature