Re: stable vs. testing: same versions, different status

To: debian-security-tracker@lists.debian.org
Subject: Re: stable vs. testing: same versions, different status
From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Sun, 28 Jun 2009 23:14:20 -0400
Message-id: <20090628231420.ecaf52c0.michael.s.gilbert@gmail.com>
In-reply-to: <20090628184817.7af4c7db.frx@firenze.linux.it>
References: <20090601175439.c68332fa.frx@firenze.linux.it> <20090608170954.5a064c60.michael.s.gilbert@gmail.com> <20090609001218.be54c9d6.frx@firenze.linux.it> <20090608184745.31a0aa12.michael.s.gilbert@gmail.com> <20090610004708.7f7a57a7.frx@firenze.linux.it> <20090609194221.ba56e682.michael.s.gilbert@gmail.com> <20090610202239.9c146aba.frx@firenze.linux.it> <20090610164038.5ad21105.michael.s.gilbert@gmail.com> <20090614232545.267cdf41.frx@firenze.linux.it> <8e2a98be0906191036x32b8bf28vdce8b4a2c1070ea8@mail.gmail.com> <20090619201718.f1873870.frx@firenze.linux.it> <20090619143152.50c5f20e.michael.s.gilbert@gmail.com> <20090620003528.d8498909.frx@firenze.linux.it> <20090621214425.3fb6b211.michael.s.gilbert@gmail.com> <20090628184817.7af4c7db.frx@firenze.linux.it>

On Sun, 28 Jun 2009 18:48:17 +0200 Francesco Poli wrote:
> That's why I am trying to figure out how the manpower issue can be
> solved: because I would love to see DTSAs and all the full security
> support for Debian testing, even when it is apparently harder (i.e.:
> immediately after a release).

the issue is not necessarily manpower itself, but rather the value of
volunteers' time.  it makes little sense to duplicate work for testing
and unstable when unstable will eventually overwrite testing. 

because it is hard for any volunteer to justify doubling their work,
your best bet for better testing security support is to step up to the
plate yourself or to pay someone to do so for you.

> Indeed, but I don't see a "Do not use testing unless we are a few weeks
> from next release" warning.
> And I think that there should *not* be such a warning and that the
> reasons for such a warning should be fought and defeated by the Testing
> Security team.

testing is just too much of a moving target.  the track record for
full support is not a few weeks before release, but rather six months
or so, which is fairly significant chunk of time.  in the meantime a
recomendation to use stable seems a reasonable position to me.

> If users don't use Debian testing, no one will report bugs for packages
> in testing, and bugs won't be discovered until a new release is out,
> that is to say, until it's too late...

regardless of non-expedient security support, plenty of people use
testing and report issues.  in fact the majority of users do not base
any of their decisions on security; hence, this is an extreme
conclusion to draw.  besides, testing is indeed security-supported, it's
just slow.

> I think it should be done automatically at archive level.
> 
> An automatic stable-update --> testing,unstable migration mechanism is
> already in place for point releases, as stated by Nico Golde in
> http://lists.debian.org/debian-security-tracker/2009/06/msg00009.html
> 
> A similar automatic stable-security --> testing-security migration
> mechanism should be implemented, IMHO.

even though there is an existing solution, my argument for it as the
only option is counter-productive; and i do not wish to say no just to
say no.  i would suggest talking to the ftp-masters and the security
team (team@security.debian.org) about whether they would be interested
in implementing your idea.

> BTW, since a point release was issued yesterday, I've just seen the
> stable-update --> testing,unstable migration happen for a number of
> packages (including linux-2.6).
> This caused a number of new "same versions, different status"
> inconsistencies in the tracker:

started fixing these; will fix the rest tomorrow.

mike

Reply to:

References:
- stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>
- Re: stable vs. testing: same versions, different status
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
- Re: stable vs. testing: same versions, different status
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: DSA-182[34]-1 vs. tracker
Next by Date: Re: stable vs. testing: same versions, different status
Previous by thread: Re: stable vs. testing: same versions, different status
Next by thread: Re: stable vs. testing: same versions, different status
Index(es):
- Date
- Thread