[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dreamhost dumps Debian

On Tue, Aug 27, 2013 at 11:51:40PM +0200, Moritz Mühlenhoff wrote:
> Steve Langasek <vorlon@debian.org> schrieb:
> > I understand the
> > motivation (like everyone else they have more to do than they have time to
> > do it in), but I think the outcome, whereby the security team denies use of
> > the security update channel for non-"critical" security bugs and redirects
> > maintainers to stable-updates instead, is unfortunate.  

> We don't "deny" anything here, the current implementation of the security
> release process simply doesn't allow more fine-grained control on who/how
> security updates can be released.

Your answer doesn't match my experience as a maintainer.  I have had
non-"critical" security bugs answered by the security team with a request
for upload to stable-updates, *not* to the security queue.  If I were to
upload those fixes to the security queue (which has been possible for years
AFAIK, since the current security embargoed/unembargoed upload queues went
into effect), what would the security team do with them?

To me, being redirected to stable-updates constitutes a refusal/denial by
the security team to use the security updates channel.  Again, if it's a
security issue that's not important enough to be an official security
update, it's not important enough for me to spend time on it as a stable
update either.  And if the security team doesn't want a particular update as
a DSA, I don't think they should be encouraging maintainers to spend time on
a non-security stable update for the issue (which is what I've seen in the

> > As far as I'm
> > concerned, a security fix that isn't worth being pushed to
> > security.debian.org is also not worth me spending time on as a maintainer to
> > push to stable-updates.

> Pushing minor issues through point updates is the same process other
> enterprise distros use as well; SLES and RHEL also pile up minor issues
> for point updates instead of sending out a security update.

> In the past such minor issues were simply left unfixed in stable. Since a
> few years we've established a process to systematically keep the
> maintainers informed (Jonathan Wiltshire runs a notification bot for
> that).

Well, I don't think that's a very good policy.  I don't see why, if the bug
is worth fixing in a stable release for security reasons, it should go
through the stable-updates channel instead of the security channel.  If the
argument is that there are multiple low-urgency security bugs that are not
worth individual uploads but that we should do roll-up uploads for once per
point release, I don't think the current mechanism is doing a very good job
of encouraging that.

Maybe instead of pushing this over to the SRMs, if the security team thinks
these bugs warrant a single update per package for the point release, it
would be better to have these staged in the security queue and only released
by the security team when it's point release time? 

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: