[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: allow new upstream into stable when it's the only way tofix security issues.

Joe Smith wrote:
> How about if it meets the folowing critieria:
> 1. it has been in testing for 10 days (been in sid at least 20 days)

This means the security hole was disclosed at least 20 days ago,
probably more.

> 2. Iff it fixes a critical security problem, uploaded to security (This
> requires security team and/or stable RM approval).

Requiring more manual action, give this at least a few days I'd say.

So we're looking at leaving our users exploitable for the better part of
a month, before we even release an update, in the *best case* under this

I think we can generally expect that a package like Mozilla Firefox will
take more than 10 days to get into testing, especially if we're in the
middle of, say, a C++ transition. Also, its quite possible the
maintainer convincing the security team to release the update, and then
the security team actually doing so, could take another week (remember,
Mozilla takes a while to autobuild, too).

This could easily leave our users vulnerable for over a month. Is that
really acceptable on today's Internet? It doesn't take long at all for
exploit code to be written and released into the wild.

Reply to: