Re: Current 2.2r2 status
On Wed, 22 Nov 2000, Ben Collins wrote:
> On Thu, Nov 23, 2000 at 12:35:19AM +1000, Anthony Towns wrote:
> > On Wed, Nov 22, 2000 at 08:53:49AM -0500, Ben Collins wrote:
> > > So we release immediately even though there are major security updates and
> > > package revisions that need to be done? That sounds like RH release goals,
> > > "make the point change, just so it looks like we are doing something".
> > I repeat: at the moment potato has a number of security problems which
> > have packaged, completed fixes. Furthermore, the Debian Project Leader is
> > being cited as saying that ``Debian is broken'' , and the the Debian
> > Press Contact is on the record as having announced ``It is recommended
> > that people wishing to install [...] updates or create CD images wait
> > until the release of version 2.2r2 to do so'' . Not only this, Debian
> > is also on record as assuring users that ``A 2.2r2 release is expected
> > within the next 10 days'' .
> So do we want to change that to "wait for 2.2r3" just after releasing
> 2.2r2? IMO, if the securty fixes don't get it, there is no way we can
> recommend CD vendors using 2.2r2.
As a CD Vendor I have watched this thread with interest. The day that you
release 2.2R2 there could be a major security hole announced that needs
fixing. There could be another one the day I get the Cd's back from the
The security updates need to be independent of the release, which is why
Redhat for example still release security updates for RH 6.2. You cant
even download Debian 2.2r0 anymore and you certainly cant make iso images
using the pseudo image kit because the original ftp files were overwritten
by 2.2r1 on the mirrors, without the pseudo image kit having caught up,
there doesnt seem to be a copy of the 2.2r0 tree anywhere to allow the
isos to be made and with 2.2R1 'broken' that seems to leave people unable
to download a stable verion of Debian.
That is why it is imperative to get 2.2R2 released as soon as possible.
We provide weekly redhat and mandrake update cd's including all known
updates, there is no reason why the same cant be done for Debian.
I think that there needs to be a 'minimum time' between point releases to
allow for vendors pressing cd's - and I would suggest 3 months as being
the absolute minimum.
The real problem here seems to have come about because 2.2r1 was released
prematurely without the then known security fixes having been