[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Current 2.2r2 status

On Thu, Nov 23, 2000 at 12:35:19AM +1000, Anthony Towns wrote:
> On Wed, Nov 22, 2000 at 08:53:49AM -0500, Ben Collins wrote:
> > So we release immediately even though there are major security updates and
> > package revisions that need to be done? That sounds like RH release goals,
> > "make the point change, just so it looks like we are doing something".
> I repeat: at the moment potato has a number of security problems which
> have packaged, completed fixes. Furthermore, the Debian Project Leader is
> being cited as saying that ``Debian is broken'' [0], and the the Debian
> Press Contact is on the record as having announced ``It is recommended
> that people wishing to install [...] updates or create CD images wait
> until the release of version 2.2r2 to do so'' [1]. Not only this, Debian
> is also on record as assuring users that ``A 2.2r2 release is expected
> within the next 10 days'' [2].

So do we want to change that to "wait for 2.2r3" just after releasing
2.2r2? IMO, if the securty fixes don't get it, there is no way we can
recommend CD vendors using 2.2r2.

> Since I'm being held responsible both for the current situation and for
> resolving it, and since no one else appears to be willing to take over
> that responsibility, forgive me for not being overly willing to just
> let 2.2r1 sit around for a couple of weeks, or overly interested in
> negotiating about that timeframe.

Part of the reason I agreed to take on organizing the info for the release
was so that it was taken into account for the timeframe, which doesn't
appear to be happening.

> > > > - Security updates affecting base packages, Wichert. How long till this
> > > >   is done? What packages should we be watching for?
> > > > - Rest of securitu updates, Wichert (time frame again please).
> > > So in short, r2 will come out with what fixes are available, with the
> > > major goal of fixing the two notable bugs (pcmcia on i386 and dpkg on
> > > sparc uninstallable) with r1, so that Debian is once again willing to
> > > suggest people use potato, whether these are done or not.
> > > Security updates should be installed from security.debian.org.
> > I thought the whole point of point releases was to include the security
> > updates in the main release?
> The point is to improve the existing stable release, whether that be by
> adding useful features, fixing outstanding bugs, or closing security
> holes. If the whole point of stable revisions was security updates,
> it'd be the security team that would be managing them, not me.

IMO, we should not make another point release, with known issues.

> > > >   [sparc] Need to do a binary only gtk upload to fix deps between indep
> > > >           and arch packages. Will not affect other archs. This is needed
> > > > 	  for the openssh security fix to be compiled. [3 days]
> > > This is trivial to fix: it's just a matter of hard coding a version in
> > > debian/control. I'll mail you a patch privately after it's tested. (So
> > > I don't see any reason for the delay)
> > I realize that, which is what I was going to do to fix it.
> Three days just seems overly long, unless I'm missing something. ("three
> hours" I could've believed, except you were sleeping in the meantime...)

Assuming I have RL work, and other things (sparc kernel, sparc
boot-floppies), then this issue falls on the bottom of a short list.

/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: