Re: use long keyid-format in gpg.conf (Re: Key collisions in the wild
On 2016-08-10 12:55, Ian Jackson wrote:
Adam D. Barratt writes ("Re: use long keyid-format in gpg.conf (Re:
Key collisions in the wild"):
On 2016-08-10 11:39, Ian Jackson wrote:
> It would be much better to put out a stable release update to change
> the default. (Probably not a security update because of the risk of
> causing currently-vulnerable scripts to become nonfunctional, which is
> not something we normally do in security updates.)
Stable updates in point releases aren't fundamentally different in
respect to those issued via the security archive.
I was under the impression that the intent was that there was a
meaningful distinction in the level of conservativeness between "take
security updates" and "take security updates and stable updates too".
If that's not the case, then I don't understand what the distinction
That depends on what you mean by "stable updates". If you mean those
announced via debian-stable-announce@ then the primary difference is
that they don't need to be (and often won't be) security-related. If
you're talking about point releases, then from a security perspective
the fundamental difference is the speed at which updates are made
available to users.
Not all security updates are released via the security archive, but the
difference is more likely to be a result of the manpower available to
handle managing and releasing such updates and the perceived impact of
the vulnerability. "We" assume that the majority of users will upgrade
to stable point releases once they're available and there's a
corresponding expectation on the part of our users as to what kind of
updates will be included; the decision as to whether to break existing
setups shouldn't be fundamentally different simply based on how the
update was released.