On Mon, Nov 20, 2000 at 09:21:40AM -0500, Itai Zukerman wrote: > > Those who choose to run unstable choose to take upon themselves > > more responsibility/inconvenience, if they are unwilling to bear that > > burden they should not run unstable. > > To me this sounds like: > > Every single unstable user must track debian-security-announce. really even stable users should track d-s-a, especially if you run something other then x86 since occasionally security fixes don't get into other archs right away. > versus: > > One unstable user should track debian-security-announce, and do a > little bit of work to make every other unstable user's life much > easier. there is really more to it then that, fixed packages are usually just installed into unstable like any other update to unstable, this means the package very well may not get built for anything but x86. so if you run an intel box your probably going to be fine just tracking unstable, but if you run anything else, say a powerpc or a sparc you might have to get the source and build the package yourself. i had to do this very frequently when i tracked then unstable potato on my powerpc. so its not just making a task package its also making sure that the package is built for each and every archetecture debian supports, and making sure that gets installed in the archive along with the task package. this is what the security team currently does for stable (except there is no task package, other then security.debian.org). if someone wants to volunteer to serve all the functions the security team does for unstable im sure that would be welcome but i think its alot more work then you think it is. (disclaimer i am not a member of the security team or a debian developer, but judging by how annoyed they get by anything resembling nagging i will venture to say they quite busy and there is alot of work involved) > But tracking d-s-a isn't enough for unstable, since only (I believe) > security fixes for packages in stable are reported there. that is generally correct. this came up a while back when potato was unstable. however i think security fixes tend to start getting made when for frozen when its created. > Again, let me ask: Why is there no "security" bug tag? When a > security fix is released, we can then have (for stable, tracking > d-s-a): i don't know, i vaguely recall some comments about a security tag in the initial discussion on -devel but i didn't follow that thread terribly closely. check the archives, read the thread on bug tags. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpqLX_r4si_L.pgp
Description: PGP signature