Re: Security team plans for the squeeze cycle
Dear release people,
> As announced on dda [RT1], we want to get an impression when releasing
> Squeeze is feasible. We have proposed a (quite ambitious) freeze in December
> 2009, and some developers have noted that their planned changes wouldn't be
> possible in this time frame. So, to find out when releasing would work for
> most people, it would be great if you could answer the following questions:
>
> Do you have any big changes planned? How much time would they take, and
> what consequences are there for the rest of the project?
>
> How many "big" transitions will the upcoming changes cause? When should those
> happen? Can we do something to make them easier?
We discussed the hardening options at DebConf: We would like to see
-fstack-protector", "-D_FORTIFY_SOURCE=2", "-Wformat" and "-Werror=format-security"
set as default build flags through dpkg-buildpackage for at least i386 and
amd64 (some embedded archs don't implement it). We need to run more benchmarks
before filing a bug about this, but we don't expect much fallout caused by
build failures.
Shortening the release time frame causes some difficulties: Security support
for oldstable ends one year after the release of stable or with the release of
stable+1. Having a release one year after Lenny release will be difficult for
large organisations.
The initial announcement of the new release plans contained the idea to support
upgrades to Lenny to Debian 7.0. We don't have the resources to do that,
supporting the current state of affairs is difficult enough.
Cheers,
Moritz
Reply to: