Re: Dreamhost dumps Debian
On Tue, August 20, 2013 19:40, Steve Langasek wrote:
> On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote:
>> IMHO that should be turned around: package maintainers should be the
>> ones responsible for updates and the Security Team should help with that
>> (e.g. by providing tips and/or reviewing the fixes)
> That's not the understanding that was in place when I joined Debian.
> Certainly there seems to be a move by the security team to push more and
> more responsibility onto the package maintainers lately; I understand the
> motivation (like everyone else they have more to do than they have time to
> do it in),
Division of labour is very important to sustain the security support for
the full breadth of the archive, but an important part of the shift in
responsibility is that the package maintainers are in better contact with
upstream and much more used to the intricacies of the software and its
packaging, and on top are probably in a well suited position to test the
changes. Having the maintainers involved in creating updated packages is
therefore a much more preferable MO than the security team preparing the
updates on their own.
> but I think the outcome, whereby the security team denies use
> of the security update channel for non-"critical" security bugs and
> redirects maintainers to stable-updates instead, is unfortunate. As far
> as I'm concerned, a security fix that isn't worth being pushed to
> security.debian.org is also not worth me spending time on as a maintainer
> to push to stable-updates.
And that is a very fair position. Everything that smells like security
regardless of impact and seriousness gets a CVE id and is called a
"security issue". The security team triages issues and decides what is not
critical enough for a DSA. Perhaps a good way to see those issues as bugs
of severity up to "important": where it's arguable that may improve Debian
by putting it into a spu, but can equally well be argued that there are
better ways to spend your time.