Re: stable vs. testing: same versions, different status

To: debian-security-tracker@lists.debian.org
Subject: Re: stable vs. testing: same versions, different status
From: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 19 Jun 2009 13:36:37 -0400
Message-id: <8e2a98be0906191036x32b8bf28vdce8b4a2c1070ea8@mail.gmail.com>
In-reply-to: <20090614232545.267cdf41.frx@firenze.linux.it>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090608170954.5a064c60.michael.s.gilbert@gmail.com> <20090609001218.be54c9d6.frx@firenze.linux.it> <20090608184745.31a0aa12.michael.s.gilbert@gmail.com> <20090610004708.7f7a57a7.frx@firenze.linux.it> <20090609194221.ba56e682.michael.s.gilbert@gmail.com> <20090610202239.9c146aba.frx@firenze.linux.it> <20090610164038.5ad21105.michael.s.gilbert@gmail.com> <20090614232545.267cdf41.frx@firenze.linux.it>

On 6/14/09, Francesco Poli wrote:
> The security tracker is not useful to assess the security of a
> particular box, but I think it's (or it should be) useful as a sort of
> (auxiliary) to-do list for the security teams, telling which
> vulnerabilities should be addressed with the greatest urgency and which
> vulnerabilities are already fixed.
> Or am I completely off-track?

yes, you are on the right track, but since the security team is not
supporting testing right now, they likely aren't looking much at the
testing pages on the secure-testing website. maybe there needs to be a
big warning, "NOT SECURITY SUPPORTED", added to the testing pages
making it clear that this is the case.

> Debian sarge was released in June 2005.
> I remember seeing the first DTSAs for etch in September 2005, if not
> before (OK, that could not be considered as full security support for
> testing, but it was better than nothing).
>
> Debian etch was released in April 2007.
> I remember seeing the first DTSA for lenny in May 2007.
>
> Debian lenny was released in February 2009.
> As of now (June 2009), I still have to see the first DTSA for squeeze.
>
> It seems to me that things are going worse for squeeze than for lenny...
> There's lack of manpower, I know: but was there more manpower while
> lenny was testing and etch was stable?

the security team will push out DTSAs as they find the time
(especially for latently vulnerable issues in ill-maintained
packages), but that does not indicate the initiation of security
support for that release.

mike

Reply to:

Follow-Ups:
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

References:
- stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: stable vs. testing: same versions, different status
Next by Date: Re: stable vs. testing: same versions, different status
Previous by thread: Re: stable vs. testing: same versions, different status
Next by thread: Re: stable vs. testing: same versions, different status
Index(es):
- Date
- Thread