Re: Dreamhost dumps Debian

To: debian-devel@lists.debian.org
Subject: Re: Dreamhost dumps Debian
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Tue, 20 Aug 2013 21:10:04 +0200
Message-id: <[🔎] 0327d20c814d27da6a3e0b5fbc9e0658.squirrel@aphrodite.kinkhorst.nl>
In-reply-to: <[🔎] 20130820174056.GB8223@virgil.dodds.net>
References: <[🔎] m338q5lbk6.fsf@neo.luffy.cx> <[🔎] 1376942753-sup-2696@fewbar.com> <[🔎] m3y57xjsg6.fsf@neo.luffy.cx> <[🔎] 20130820000440.GA25760@falafel.plessy.net> <[🔎] 21011.32310.864168.568030@chiark.greenend.org.uk> <[🔎] 20130820145339.GA2363@angband.pl> <[🔎] 21011.34255.48484.270530@chiark.greenend.org.uk> <[🔎] CAKcBoksQWK7a-vyeCBm+XE34=gh9nbUM0W2+S7zYzyw_n76xoQ@mail.gmail.com> <[🔎] 21011.39023.898706.120662@chiark.greenend.org.uk> <[🔎] CAKcBokvbuBQhfDhLbVF+zjBf_S6oa=FJROpZYT0149_F4YTpaQ@mail.gmail.com> <[🔎] 20130820174056.GB8223@virgil.dodds.net>

On Tue, August 20, 2013 19:40, Steve Langasek wrote:
> On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote:

>> IMHO that should be turned around: package maintainers should be the
>> ones responsible for updates and the Security Team should help with that
>> (e.g. by providing tips and/or reviewing the fixes)
>
> That's not the understanding that was in place when I joined Debian.
> Certainly there seems to be a move by the security team to push more and
> more responsibility onto the package maintainers lately; I understand the
> motivation (like everyone else they have more to do than they have time to
> do it in),

Division of labour is very important to sustain the security support for
the full breadth of the archive, but an important part of the shift in
responsibility is that the package maintainers are in better contact with
upstream and much more used to the intricacies of the software and its
packaging, and on top are probably in a well suited position to test the
changes. Having the maintainers involved in creating updated packages is
therefore a much more preferable MO than the security team preparing the
updates on their own.

> but I think the outcome, whereby the security team denies use
> of the security update channel for non-"critical" security bugs and
> redirects maintainers to stable-updates instead, is unfortunate.  As far
> as I'm concerned, a security fix that isn't worth being pushed to
> security.debian.org is also not worth me spending time on as a maintainer
> to push to stable-updates.

And that is a very fair position. Everything that smells like security
regardless of impact and seriousness gets a CVE id and is called a
"security issue". The security team triages issues and decides what is not
critical enough for a DSA. Perhaps a good way to see those issues as bugs
of severity up to "important": where it's arguable that may improve Debian
by putting it into a spu, but can equally well be argued that there are
better ways to spend your time.

Thijs

Reply to:

References:
- Re: Dreamhost dumps Debian
  - From: Vincent Bernat <bernat@debian.org>
- Re: Dreamhost dumps Debian
  - From: Clint Byrum <spamaps@debian.org>
- Re: Dreamhost dumps Debian
  - From: Vincent Bernat <bernat@debian.org>
- Re: Dreamhost dumps Debian
  - From: Charles Plessy <plessy@debian.org>
- Re: Dreamhost dumps Debian
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Dreamhost dumps Debian
  - From: Adam Borowski <kilobyte@angband.pl>
- Re: Dreamhost dumps Debian
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Dreamhost dumps Debian
  - From: Pau Garcia i Quiles <pgquiles@elpauer.org>
- Re: Dreamhost dumps Debian
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Dreamhost dumps Debian
  - From: Pau Garcia i Quiles <pgquiles@elpauer.org>
- Re: Dreamhost dumps Debian
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: Dreamhost dumps Debian
Next by Date: Re: Dreamhost dumps Debian
Previous by thread: Re: Dreamhost dumps Debian
Next by thread: Re: Dreamhost dumps Debian
Index(es):
- Date
- Thread