The recent mgetty upload security fix, and an NMU upload (of mgetty) to unstable yesterday reminded me of a serious issue we still have to address. Sometimes, security patches made by the security team (and made available through security.debian.org) are reverted on mistake by maintainers on the next upload to unstable. This was not the case with mgetty, but it has happened in the past. Such patch reversions are difficult to notice right now, and are very dangerous. However, if the security team where to *always* fill a bug against any and all packages it fixes and uploads to security.debian.org, they would be trackable. I suggest such bugs to be of severity 'serious' or worse, and to include the security patch itself if possible. The idea is that the bug must be very noticeable and it also should be closed ASAP in the unstable branch, using a high enough priority so that it has a chance to make it to 'testing' ASAP. The bugs would then have to be closed by the next unstable upload, making it easier to keep track of security patch reversions (actually, to avoid those altogether). Sometimes this would result in wrong bugs being filled (because the unstable branch of a given package is not vulnerable anymore, for example), but that is much, much better than the hole being reopened by mistake and forgotten open. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpTCphUKmozJ.pgp
Description: PGP signature