On Tue, Aug 27, 2013 at 11:51:40PM +0200, Moritz Mühlenhoff wrote: > Steve Langasek <vorlon@debian.org> schrieb: > > I understand the > > motivation (like everyone else they have more to do than they have time to > > do it in), but I think the outcome, whereby the security team denies use of > > the security update channel for non-"critical" security bugs and redirects > > maintainers to stable-updates instead, is unfortunate. > We don't "deny" anything here, the current implementation of the security > release process simply doesn't allow more fine-grained control on who/how > security updates can be released. Your answer doesn't match my experience as a maintainer. I have had non-"critical" security bugs answered by the security team with a request for upload to stable-updates, *not* to the security queue. If I were to upload those fixes to the security queue (which has been possible for years AFAIK, since the current security embargoed/unembargoed upload queues went into effect), what would the security team do with them? To me, being redirected to stable-updates constitutes a refusal/denial by the security team to use the security updates channel. Again, if it's a security issue that's not important enough to be an official security update, it's not important enough for me to spend time on it as a stable update either. And if the security team doesn't want a particular update as a DSA, I don't think they should be encouraging maintainers to spend time on a non-security stable update for the issue (which is what I've seen in the past). > > As far as I'm > > concerned, a security fix that isn't worth being pushed to > > security.debian.org is also not worth me spending time on as a maintainer to > > push to stable-updates. > Pushing minor issues through point updates is the same process other > enterprise distros use as well; SLES and RHEL also pile up minor issues > for point updates instead of sending out a security update. > In the past such minor issues were simply left unfixed in stable. Since a > few years we've established a process to systematically keep the > maintainers informed (Jonathan Wiltshire runs a notification bot for > that). Well, I don't think that's a very good policy. I don't see why, if the bug is worth fixing in a stable release for security reasons, it should go through the stable-updates channel instead of the security channel. If the argument is that there are multiple low-urgency security bugs that are not worth individual uploads but that we should do roll-up uploads for once per point release, I don't think the current mechanism is doing a very good job of encouraging that. Maybe instead of pushing this over to the SRMs, if the security team thinks these bugs warrant a single update per package for the point release, it would be better to have these staged in the security queue and only released by the security team when it's point release time? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature