Re: task-unstable-security-updates?

To: debian-security@lists.debian.org
Subject: Re: task-unstable-security-updates?
From: Daniel Jacobowitz <dan@debian.org>
Date: Mon, 20 Nov 2000 14:45:13 -0500
Message-id: <[🔎] 20001120144513.A10001@drow.them.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 87hf52ye2h.fsf@matt.w80.math-hat.com>; from zukerman@math-hat.com on Mon, Nov 20, 2000 at 08:21:10AM -0500
References: <[🔎] Pine.LNX.4.21.0011191243120.4669-100000@localhost> <[🔎] 20001120002647.A674@drow.them.org> <[🔎] 87hf52ye2h.fsf@matt.w80.math-hat.com>

On Mon, Nov 20, 2000 at 08:21:10AM -0500, Itai Zukerman wrote:
> > > It would be very helpful if there was a pseudo-package that conflicted
> > > with packages that have known security problems that have been fixed in a
> > > later version.  That way one could do a regular 'apt-get install
> > > task-unstable-security-updates' and cause the upgrade of all the
> > > conflicting packages that are currently installed on your system.
> 
> Seems like a great idea to me.
> 
> If the BTS had a "security" tag, then this could be done
> automatically.  A quick look through the debian-devel archives, and I
> can't find discussion of this tag.  Was there some reason it wasn't
> introduced?

Most of our security fixes are never filed as bugs - and can not be. 
The BTS is public, and preliminary security advisories are not.
Filing them after they are publicized is, on the whole, redundant.

> > > Is that possible?  Would the security team be willing to maintain such a
> > > pseudo-package?
> > 
> > Not really.  Our priority is stable; security fixes make it to unstable
> > somewhat haphazardly, especially for more obscure architectures.  The
> > maintenance cost on something like this is prohibitively high.
> > 
> > The answer is just to watch one single list - debian-security-announce. 
> > That's what it's for :)
> 
> I'm not sure I understand the reasoning here.  If the answer is to
> watch the debian-security-announce list, then what prevents someone
> watching the list from maintaining the proposed virtual package?

The problem is that, for one thing, maintaining this package usefully
requires getting all fixes compiled on all architectures for unstable. 
That's impractical; we do the best that we can, but it's too time
consuming and too complicated, especially given the quirks of some of
our architectures.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan@debian.org         |  |       dmj+@andrew.cmu.edu      |
\--------------------------------/  \--------------------------------/

Reply to:

References:
- task-unstable-security-updates?
  - From: Mike Fisk <mfisk@lanl.gov>
- Re: task-unstable-security-updates?
  - From: Daniel Jacobowitz <dan@debian.org>
- Re: task-unstable-security-updates?
  - From: Itai Zukerman <zukerman@math-hat.com>

Prev by Date: Re: /dev/fb* permissions, local DoS
Next by Date: Re: /dev/fb* permissions, local DoS
Previous by thread: Re: task-unstable-security-updates?
Next by thread: Re: task-unstable-security-updates?
Index(es):
- Date
- Thread