Re: RFC: allow new upstream into stable when it's the only way tofix security issues.
Joe Smith wrote:
> How about if it meets the folowing critieria:
>
> 1. it has been in testing for 10 days (been in sid at least 20 days)
This means the security hole was disclosed at least 20 days ago,
probably more.
> 2. Iff it fixes a critical security problem, uploaded to security (This
> requires security team and/or stable RM approval).
Requiring more manual action, give this at least a few days I'd say.
So we're looking at leaving our users exploitable for the better part of
a month, before we even release an update, in the *best case* under this
procedure.
I think we can generally expect that a package like Mozilla Firefox will
take more than 10 days to get into testing, especially if we're in the
middle of, say, a C++ transition. Also, its quite possible the
maintainer convincing the security team to release the update, and then
the security team actually doing so, could take another week (remember,
Mozilla takes a while to autobuild, too).
This could easily leave our users vulnerable for over a month. Is that
really acceptable on today's Internet? It doesn't take long at all for
exploit code to be written and released into the wild.
Reply to: