Re: RFC: allow new upstream into stable when it's the only way to fix security issues.
On Fri, Aug 05, 2005 at 08:22:43AM +0200, Marc Haber wrote:
> On Mon, 1 Aug 2005 11:37:11 +0200, md@Linux.IT (Marco d'Itri) wrote:
> >On Aug 01, "W. Borgert" <firstname.lastname@example.org> wrote:
> >> On Sun, Jul 31, 2005 at 10:07:10PM +0000, Roland Rosenfeld wrote:
> >> > But how do you push the users to remove the package from their
> >> > systems? In reality they will keep the broken version installed and
> >> > so you have (1) again :-(
> >> Empty package with a higher version number?
> >And exactly, how this would help our users?
> It will keep them from using a vulnerable version of the software, and
> will probably encourage them to get a fixed version from outside
> Debian proper (e.g. volatile).
If there is really no chance to get something new in (or remove them), I
would suggest that those packages affected should be allowed to push a
minimal patched package to the security archive that tries to warn the users
about the potential security problems in the package and how to obtain a new
one (e.g. on the default startpage).
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
email@example.com | `. `' Operating System
http://www.asoftsite.org | `- http://www.debian.org