[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFC: allow new upstream into stable when it's the only way to fix security issues.


As it is being currently discussed on debian-security [1], security team 
has hard times supporting mozilla family of packages, because of 
unfriendly upstream policy - they don't want to isolate security fixes 
from a large changesets of new upstream releases. And given the huge size 
of the package, isolating security patches at Debian level also fails.

So options seem to be:

(1) keep vulnerable packages in stable,
(2) remove affected packages from distribution,
(3) allow new upstream into stable.

(1) is how it was done in woody times; however I think that most people 
agree that it is a very bad option to keep users' systems vulnerable.

(2) may be a solution - but since mozilla and related packages (firefox, 
thunderbird, galeon) are widely used, removing those looks like a serious 
violation of SC ("debian supports it's users").

(3) is against the way how Debian used to work for years. However, isn't it 
the time to tune our processes to keep with real-world issues better?

Maybe in rare cases like this one, when these seems to be no other way to 
keep important package set secure, we should allow new upstream into 
Debain Stable?
This should be extremely rare situation; probably approval from the 
Technical Comettie should be needed in each case.

What do you think on this?

[1] http://lists.debian.org/debian-security/2005/07/msg00315.html

Attachment: pgpcDiJHlsJFl.pgp
Description: PGP signature

Reply to: