Re: ssl security desaster

To: debian-devel@lists.debian.org
Subject: Re: ssl security desaster
From: Russ Allbery <rra@debian.org>
Date: Fri, 16 May 2008 11:59:16 -0700
Message-id: <[🔎] 87ej82ulbv.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20080516183827.GA14368@bluestein> (Martin Uecker's message of "Fri\, 16 May 2008 20\:38\:27 +0200")
References: <[🔎] 20080516183827.GA14368@bluestein>

Martin Uecker <muecker@gmx.de> writes:

> I don't now. I see no reason why all this good work which now ends up in
> Debian patches can't be seperated from the actual packaging work.

It's probably worth mentioning somewhere in this discussion that one of
the most common, perhaps the most common apart from FHS tweaks and other
Debian-specific modifications that upstream does not want, to patch
upstream source is to cherry-pick fixes from upstream before upstream has
done a new release.  That's most of the upstream patches to my packages,
for example.  A lot of those frequently indicates a close and very
fruitful interaction with upstream.  Waiting for upstream releases to fix
problems when the fix is known is not a great idea, IMO, particularly when
the problems are serious, and pulling an untested upstream VCS snapshot
with lots of other changes isn't a good idea.

I know that isn't the patch case that you were getting at, but it's
important, when discussing scenarios around patches, to allow for that one
as well.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: ssl security desaster
  - From: Martin Uecker <muecker@gmx.de>

Prev by Date: Re: extensive patching
Next by Date: Re: How to handle Debian patches
Previous by thread: Re: ssl security desaster
Next by thread: Re: ssl security desaster
Index(es):
- Date
- Thread