On Thu, Aug 17, 2006 at 02:25:58AM +0200, Goswin von Brederlow wrote: > > That's currently the domain of the BTS. Anyone could publish sufficient > > security (RC bugs) in a vulnerable package that it would make it impossible > > for it to be released. Of course that would only be possible if: > > That wasn't what I suggested (below). The BTS only stops a package > from being released due to known bugs. I ment that if a package has > such a bug that it gets still blocked from the next release even if > the bug is fixed without an audit of the code by e.g. the security > team. I know that is not what you suggested, you asked what we currently do, and what we currently do (audit and security team) is bug through the BTS AFAIK and that's what might prevent a bug. > I would rather have less packages in stable so that the security team > does have enough resources. If a package is in reasonable danger of > having security bugs then it should not get into stable. The problem here is determine "reasonable danger" I would say that there are more chances of unused / unaudited packages having "reasonable danger" than a package which is widely used and reviewed (even if many bugs have been found). But that's just my opinion. Regards Javier
Attachment:
signature.asc
Description: Digital signature