Re: dist stable update for #496412

To: debian-release@lists.debian.org
Cc: srivasta@debian.org
Subject: Re: dist stable update for #496412
From: Nico Golde <debian-release+ml@ngolde.de>
Date: Sat, 4 Oct 2008 17:04:01 +0200
Message-id: <20081004150401.GA18904@ngolde.de>
Mail-followup-to: debian-release@lists.debian.org, srivasta@debian.org
In-reply-to: <878wt4zb77.fsf@anzu.internal.golden-gryphon.com>
References: <20081004102311.GA16187@ngolde.de> <878wt4zb77.fsf@anzu.internal.golden-gryphon.com>

Hi Manoj,
* Manoj Srivastava <srivasta@debian.org> [2008-10-04 16:39]:
> On Sat, Oct 04 2008, Nico Golde wrote:
[...] 
> > This is an automatically generated mail, in case you are already
> > working on an upgrade this is of course pointless.
> 
>         Umm. The fixed package is already in testing and unstable, so
>  with the new release, stable should be covered.

Sure but that's still some time in between.

>   1) The package in testing has had many, many unrelated changes,
>      including a new set of upstream releases, so would not meet the
>      stable release criteria.

Yes, that's correct.

>   2) The package has a low popularity contest ranking.
>   3) Uploading packages to proposed-updates for security is deprecated,
>      if it were important enough, there would have been the normal
>      security update which would have taken the fixes back to stable. 

The reason you got this mail is because it is not important 
enough, this has been tagged as no-dsa in the security 
tracker.

>   4) The fix will have to be back ported, since we cant just take the
>      testing version of the package back.
> 
>         On the other hand, back-porting the fix will probably be pretty
>  easy, though still a chore. Since this is an automatically generated
>  request, I'd like the input of a human before I undertake the task --
>  is this report, which was not deemed important enough to be called a
>  security risk, Worth the effort? Will we release Lenny before the next
>  point release?

In my opinion yes. It's not that this is no security risk at 
all, of course it is a security risk, it is tracked as low 
in our security tracker. But the security team would be just 
overloaded if we would release a DSA for every single tmp 
race issue that was reported recently. I think back-porting 
the fix is not that much work and the users of dist will be 
thankful for that (even if there are only ~100).

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp0n3CZBTu0E.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: dist stable update for #496412
  - From: Manoj Srivastava <srivasta@ieee.org>

References:
- Re: dist stable update for #496412
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: dist stable update for #496412
Next by Date: Re: Handling of linux-modules-*-2.6 during freeze
Previous by thread: Re: dist stable update for #496412
Next by thread: Re: dist stable update for #496412
Index(es):
- Date
- Thread