[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: allow new upstream into stable when it's the only way to fix security issues.

On Fri, Aug 05, 2005 at 08:22:43AM +0200, Marc Haber wrote:
> On Mon, 1 Aug 2005 11:37:11 +0200, md@Linux.IT (Marco d'Itri) wrote:
> >On Aug 01, "W. Borgert" <debacle@debian.org> wrote:
> >> On Sun, Jul 31, 2005 at 10:07:10PM +0000, Roland Rosenfeld wrote:
> >> > But how do you push the users to remove the package from their
> >> > systems?  In reality they will keep the broken version installed and
> >> > so you have (1) again :-(
> >> Empty package with a higher version number?
> >And exactly, how this would help our users?
> It will keep them from using a vulnerable version of the software, and
> will probably encourage them to get a fixed version from outside
> Debian proper (e.g. volatile).

If there is really no chance to get something new in (or remove them), I
would suggest that those packages affected should be allowed to push a
minimal patched package to the security archive that tries to warn the users
about the potential security problems in the package and how to obtain a new
one (e.g. on the default startpage).

 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 asac@debian.org           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org

Reply to: