Re: RFC: allow new upstream into stable when it's the only way to fixsecurity issues.

To: debian-devel@lists.debian.org
Subject: Re: RFC: allow new upstream into stable when it's the only way to fixsecurity issues.
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Fri, 12 Aug 2005 21:03:55 -0500
Message-id: <[🔎] 20050813020354.GC648@gwolf.org>
In-reply-to: <[🔎] 20050801100626.GD13096@washoe.onerussian.com>
References: <200507312310.11473@sercond.localdomain>

Yaroslav Halchenko dijo [Mon, Aug 01, 2005 at 06:06:27AM -0400]:
> On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> > (1) keep vulnerable packages in stable,
> > (2) remove affected packages from distribution,
> > (3) allow new upstream into stable.
> My 1 cent would be a merge of (2) and (3)...  it is more of the
> formalization so we woudln't need to think about it on a next occasion
> with some other package
> 
> (2) - remove from the stable distribution
> (3) - create /rolling-updates or whatever better name would be in a
>       fashion like /security-updates.
> 
> Drawbacks: 
> 
> users who had mozilla installed would need to tune their
> /etc/apt/sources.list, although some dummy transitional package
> "mozilla" which wipes out vulnerable pieces from stable  can do it for
> them (debconf)
> 
> Advantages: 
> * stable is kept stable - no unstable parts in the main body. It would
>   provide clean and sharp boundary between stable and "rolling" packages
>   if  more to come for some reason
> 
> * conciseness addition of /rolling-updates helps to understand why then
>   hack apt-get upgrade goes crazy so often and download staff into
>   stable distribution

Basically agree with what you say - When the need for an update
arises, we can send to security an empty package informing the user
that if he wants to continue using the program, he should get it from
volatile... Only there are some catches.

Think of the prime example here: Mozilla. How many packages depend on
it? And not only on mozilla, but on mozilla-*? If we maintain each
such set of changes as an independent package set, we will end up with
hundreds of Debian pseudo-stable flavors (you can probably take the
'hundreds' quite literally at the end of a release cycle). We should
strive to have _one_ stable distribution - If for nothing else, for
the ability of reliably upgrading.

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.org - (+52-55)1451-2244 / 5623-0154
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

Reply to:

References:
- Re: RFC: allow new upstream into stable when it's the only way to fix security issues.
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: Re: RFC: allow new upstream into stable when it's the only way tofixsecurity issues.
Next by Date: Re: pbuilder status update
Previous by thread: Re: RFC: allow new upstream into stable when it's the only way to fix security issues.
Next by thread: Re: RFC: allow new upstream into stable when it's the only way to fix security issues.
Index(es):
- Date
- Thread