Re: goals for hardening Debian: ideas and help wanted

["Thijs Kinkhorst" <thijs@debian.org>]

On Tue, April 29, 2014 18:45, Russ Allbery wrote:
> Marko Randjelovic <markoran@eunet.rs> writes:
>
>> I added this:
>
>> "Debian policy should require that in every source package all security
>> packages should be clearly marked as such in standard and easily
>> parsable way with optional further references."
>
> I don't agree with this statement.  I think there are far more important
> things to document in Policy that haven't yet been documented there than
> creating new rules about patch naming.  Note that, currently, Debian
> Policy doesn't require that you use separated patches *at all*, nor should
> it given that there is not project consensus for requiring that source
> package representation.

I'm quite unclear even on what problem it tries to solve. Debian already
extensively tracks which vulnerabilities affect which package versions,
and I don't see what sorting patches into 'security' and 'other' would add
to this.


Thijs