Reduce security release latency - Re: Concerns with Open/OS Corporate Linux ads?
On Tue, Aug 29, 2006 at 11:58:16PM +0200, martin f krafft wrote:
> also sprach Henning Makholm <firstname.lastname@example.org> [2006.08.29.2310 +0200]:
> > We also shouldn't fool ourselves into thinking that a commercial
> > repackager with a real dedication to security support (say, by hiring
> > a handful of full-time employees to keep it current, and also by
> > restricting their attention to one or a few architectures) could not
> > beat _our_ overworked, underpaid (etc) security team.
> Of course not. Yet I still thought their ad makes it look like we
> don't have anything...
> > July 6 - bug goes public through upstream's BTS, Debian bug filed
> > July 21 - fixed in sarge, DSA released
> I know this is a ridiculous time span, but it's better than nothing.
IMO it would be good to think about reducing average security release
latency by rolling them out as soon as packages have finished to build
on all "major" architectures (>95% of our user base) ... and then push
fixed packages for "minor" architectures as soon as they become
Of course, we don't want to have 2nd class architectures, but waiting
for architectures to finish that are used "only" by a minority looks
flawed either. Especially if there is a buildd breakage involved.
I know its a difficult question, but at least for large packages the
latency could certainly be reduced significantly.
Is there room for such kind of improvement within the bounds of our
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
email@example.com | `. `' Operating System
http://www.asoftsite.org/ | `- http://www.debian.org/