Bug#542288: debian-policy: Version numbering: native packages, NMU's, and binary only uploads

[Julien Cristau <jcristau@debian.org>]

On Tue, Sep  1, 2009 at 14:06:17 -0700, Steve Langasek wrote:

> On Tue, Sep 01, 2009 at 11:39:40AM +0200, Julien Cristau wrote:
> > On Sun, Aug 30, 2009 at 23:38:17 +0200, Lucas Nussbaum wrote:
> 
> > > That's unfortunate. Imagine the following scenario:
> > > 1. Package P is released in sarge, with version 1.0-1.
> > > 2. Package P is installed on a system S, running sarge.
> > > 3. etch is released with P 1.0-1.
> > > 4. A security bug is found in P.
> 
> > Does this actually happen?  How often?
> 
> Often enough that it's been discussed repeatedly over the years; not often
> enough that anyone has fixed it. :)
> 
Every time I've seen it discussed, it was by people who aren't part of
the security team, and so far the security team seem to say it's not a
concern for them, so for all I know it may just be theoretical…

Cheers,
Julien