[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild

On 2016-08-10 12:55, Ian Jackson wrote:
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re:
Key collisions in the wild"):
On 2016-08-10 11:39, Ian Jackson wrote:
> It would be much better to put out a stable release update to change
> the default.  (Probably not a security update because of the risk of
> causing currently-vulnerable scripts to become nonfunctional, which is
> not something we normally do in security updates.)

Stable updates in point releases aren't fundamentally different in that
respect to those issued via the security archive.

I was under the impression that the intent was that there was a
meaningful distinction in the level of conservativeness between "take
security updates" and "take security updates and stable updates too".

If that's not the case, then I don't understand what the distinction

That depends on what you mean by "stable updates". If you mean those announced via debian-stable-announce@ then the primary difference is that they don't need to be (and often won't be) security-related. If you're talking about point releases, then from a security perspective the fundamental difference is the speed at which updates are made available to users.

Not all security updates are released via the security archive, but the difference is more likely to be a result of the manpower available to handle managing and releasing such updates and the perceived impact of the vulnerability. "We" assume that the majority of users will upgrade to stable point releases once they're available and there's a corresponding expectation on the part of our users as to what kind of updates will be included; the decision as to whether to break existing setups shouldn't be fundamentally different simply based on how the update was released.



Reply to: