Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
On Thu, Oct 30, 2014 at 1:12 AM, Russell Stuart wrote:
> On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote:
>> Also, this means that you completely miss security advisories that *don't*
>> involve changing a package in the archive, like "this thing is a disaster,
>> so we're pulling it from the archive entirely and suggest you stop using
> If it is so that much of a disaster that it warrants pulling a package
> from stable, surely a little more notification than an email to a list
> most people don't monitor would be warranted? Something like replacing
> it with an package that sends email daily to root explaining the
> situation would be the very least you could do.
Just upgrading a package is not enough. Often enough services need
restarted, and that information can be stated in the DSA.
There are also end-of-life announcements, which maybe the
debian-security-support package now addresses in a somewhat automated
Anyway, it is entirely understandable that reading can be hard, but at
a minimum the truly security-conscious need to be to do so.