Bug#542288: debian-policy: Version numbering: native packages, NMU's, and binary only uploads
On 01/09/09 at 23:14 +0200, Julien Cristau wrote:
> On Tue, Sep 1, 2009 at 14:06:17 -0700, Steve Langasek wrote:
>
> > On Tue, Sep 01, 2009 at 11:39:40AM +0200, Julien Cristau wrote:
> > > On Sun, Aug 30, 2009 at 23:38:17 +0200, Lucas Nussbaum wrote:
> >
> > > > That's unfortunate. Imagine the following scenario:
> > > > 1. Package P is released in sarge, with version 1.0-1.
> > > > 2. Package P is installed on a system S, running sarge.
> > > > 3. etch is released with P 1.0-1.
> > > > 4. A security bug is found in P.
> >
> > > Does this actually happen? How often?
> >
> > Often enough that it's been discussed repeatedly over the years; not often
> > enough that anyone has fixed it. :)
> >
> Every time I've seen it discussed, it was by people who aren't part of
> the security team, and so far the security team seem to say it's not a
> concern for them, so for all I know it may just be theoretical…
well, one nice feature is that it was only theoretical during the etch +
lenny release cycles, since +b < +etch < +lenny < +nmu.
So it is not surprising that it stayed unfixed for so long.
However, this was broken with sarge (+sarge > +etch), and is broken
with squeeze with NMUs:
1. Package P is available in testing with version 1.0-1
2. A security bug is found in P
3. A testing-security upload is made (1.0-1+squeeze1)
4. The bug is fixed in unstable in an NMU, also fixing other bugs
(1.0-1+nmu1)
5. The user installs 1.0-1+squeeze1
6. P 1.0-1+nmu1 migrates to testing
At this point, the user should install 1.0-1+nmu1 (it contains fixes to
other bugs) but will stay with 1.0-1+squeeze1.
--
| Lucas Nussbaum
| lucas@lucas-nussbaum.net http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr GPG: 1024D/023B3F4F |
Reply to: