On Tue, 9 Jun 2009 19:42:21 -0400 Michael S. Gilbert wrote: > On Wed, 10 Jun 2009 00:47:08 +0200, Francesco Poli wrote: [...] > > I think the above-described automatic mechanism would benefit testing > > security, especially in the first post-release times, i.e. when the > > testing-security team claims that no official testing security support > > can be provided! > > the best course of action here is to use stable-security with a higher > pin-priority than testing; I think it would work correctly with the *same* pin-priority as used for testing and testing-security. If you used a *higher* pin-priority for stable-security, once you installed a package from stable-security, you would never upgrade to more recent package versions that become available in testing. On the other hand, if you used a *lower* pin-priority for stable-security, you would never upgrade to a security-wise-fixed version available in stable-security, even when the currently installed package (from testing) is identical to the one available in stable. Hence, I think the pin-priority should be the same. > that way if testing still contains the > same version as stable, then you get the securitized version from > stable-security instead. With the same pin-priority, yes. > > of course this is a less-than-desirable situation because most users > won't go through the trouble. I think this solution could be viable, but should be considered sub-optimal, as it would require suggesting all (Debian testing) end-users to modify their sources.list. Moreover, the security-tracker would not be aware of this possibility and would thus go on considering those vulnerabilities as unfixed for testing. On the other hand, my proposed automatic stable-security -> testing-security migration mechanism would fix a number of vulnerabilities (especially in the first post-release times) for all Debian testing end-users, in a "gratuitous" manner (from a Debian Testing Security team point of view, since it would re-use the Debian Stable Security team effort). -- New location for my website! Update your bookmarks! http://www.inventati.org/frx ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpjQk2UQHcIz.pgp
Description: PGP signature