Re: binnmu's are untrackable

To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: debian-security-tracker@lists.debian.org
Subject: Re: binnmu's are untrackable
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 1 Nov 2009 22:56:20 +0100
Message-id: <[🔎] 20091101215620.GC13904@galadriel.inutil.org>
In-reply-to: <20091030140550.eddd5974.michael.s.gilbert@gmail.com>
References: <20091028155849.680f0169.michael.s.gilbert@gmail.com> <20091030140550.eddd5974.michael.s.gilbert@gmail.com>

On Fri, Oct 30, 2009 at 02:05:50PM -0400, Michael Gilbert wrote:
> On Wed, 28 Oct 2009 15:58:49 -0400, Michael Gilbert wrote:
> > hi all,
> > 
> > it looks like we can't appropriately mark issues that are addressed via
> > binnmu's in the tracker.  see [0] where advi source is 1.6.0-14 and the
> > fix is in binnmu version 1.6.0-14+b1.  since there is no 1.6.0-14+b1
> > source package, the issue is still tracked as unfixed even though it
> > has been fixed.
> > 
> > maybe the solution is to avoid binnmu's altogether for security issues,
> > and instead always at least modify the changelog stating that it is an
> > nmu addressing a security issue (even if the fix only involves
> > relinking to an updated library).
> > 
> > let me know what you think.
> 
> since i didn't get any feedback on this question, can i conclude that my
> suggestion is ok?  if there is no disagreement, i will update the
> tracker documentation to indicate that binnmu's are strongly discouraged
> for security updates.

No. Just because it cannot be tracked in the Security Tracker, doesn't
mean it shouldn't be used. It's only relevant for cornercases anyway.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: binnmu's are untrackable
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>

Prev by Date: Re: No tracker page for DSA-192[45]-1
Next by Date: Re: binnmu's are untrackable
Previous by thread: Re: No tracker page for DSA-192[45]-1
Next by thread: Re: binnmu's are untrackable
Index(es):
- Date
- Thread