Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities

To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: security@debian.org, Debian-security-tracker <debian-security-tracker@lists.debian.org>
Subject: Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 2 Jan 2011 00:57:24 +0100
Message-id: <[🔎] 20110101235724.GF2526@galadriel.inutil.org>
In-reply-to: <AANLkTimscmQL9ztZrffans_5YjOb4o4KXpVHz2W_LKS2@mail.gmail.com>
References: <20101221173434.GA3250@galadriel.inutil.org> <AANLkTimscmQL9ztZrffans_5YjOb4o4KXpVHz2W_LKS2@mail.gmail.com>

Michael Gilbert wrote:
> On Tue, Dec 21, 2010 at 12:34 PM, Moritz Muehlenhoff wrote:
> > Upgrade instructions
> > - --------------------
> >
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> 
> For future advisories, I wonder if this might be better said as "Make
> sure that a 'deb http://security.debian.org/ stable/updates main' line
> is included in your /etc/apt/sources.list and then run the following
> commands to perform the update'
> 
> > apt-get update
> >        will update the internal database
> > apt-get upgrade
> >        will install corrected packages
> >
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> 
> Isn't this a repeat of the first sentence in the upgrade instructions?
> 
> > - ---------------------------------------------------------------------------------
> > For apt-get: deb http://security.debian.org/ stable/updates main
> 
> I think this would be better stated in plain English as suggested above.
> 
> > For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
> 
> Since dpkg-ftp is removed from sid/squeeze (and I don't know if it
> checks signatures), I think this line should be removed.
> 
> > Mailing list: debian-security-announce@lists.debian.org
> 
> Is this statement useful?  The user can look at the mail header to see
> where it came from.
> 
> > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
> 
> This may be better to state in plain English.  For example, "For more
> info on this package, type 'apt-cache show' or visit
> http://packages.debian.org/<pkg>.  For information on the changes
> involved type 'cat /usr/share/doc/<pkg>/changelog.Debian.gz' or
> install the apt-listchanges package."
> 
> I wonder if there should be a warning somewhere in this footer about
> using tools (such as dpkg) that don't check signatures?  Or maybe
> explicitly state that apt, aptitude, synaptic, software center, update
> manager, etc are the only recommended tools.
> 
> Anyway, just some thoughts on new changes.

Thanks for the feedback. We've ended up with a much simplified version.

BTW, the line Mailing list: debian-security-announce@lists.debian.org 
is currently mandated by the mailing list script.

Cheers,
       Moritz

Reply to:

Next by Date: Bug#608994: Not all DSAs are displayed in the package overview page
Next by thread: Bug#608994: Not all DSAs are displayed in the package overview page
Index(es):
- Date
- Thread