[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: task-unstable-security-updates?

On Mon, Nov 20, 2000 at 09:21:40AM -0500, Itai Zukerman wrote:
> > Those who choose to run unstable choose to take upon themselves
> > more responsibility/inconvenience, if they are unwilling to bear that
> > burden they should not run unstable.
> To me this sounds like:
>   Every single unstable user must track debian-security-announce.

really even stable users should track d-s-a, especially if you run
something other then x86 since occasionally security fixes don't get
into other archs right away.  

> versus:
>   One unstable user should track debian-security-announce, and do a
>   little bit of work to make every other unstable user's life much
>   easier.

there is really more to it then that, fixed packages are usually just
installed into unstable like any other update to unstable, this means
the package very well may not get built for anything but x86.  so if
you run an intel box your probably going to be fine just tracking
unstable, but if you run anything else, say a powerpc or a sparc you
might have to get the source and build the package yourself.  i had to
do this very frequently when i tracked then unstable potato on my

so its not just making a task package its also making sure that the
package is built for each and every archetecture debian supports, and
making sure that gets installed in the archive along with the task
package.  this is what the security team currently does for stable
(except there is no task package, other then security.debian.org).

if someone wants to volunteer to serve all the functions the security
team does for unstable im sure that would be welcome but i think its
alot more work then you think it is.  (disclaimer i am not a member of
the security team or a debian developer, but judging by how annoyed
they get by anything resembling nagging i will venture to say they
quite busy and there is alot of work involved)

> But tracking d-s-a isn't enough for unstable, since only (I believe)
> security fixes for packages in stable are reported there.

that is generally correct.  this came up a while back when potato was
unstable.  however i think security fixes tend to start getting made
when for frozen when its created.  

> Again, let me ask: Why is there no "security" bug tag?  When a
> security fix is released, we can then have (for stable, tracking
> d-s-a):

i don't know, i vaguely recall some comments about a security tag in
the initial discussion on -devel but i didn't follow that thread
terribly closely.  check the archives, read the thread on bug tags.  

Ethan Benson

Attachment: pgpqLX_r4si_L.pgp
Description: PGP signature

Reply to: