[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Woody ssh exploit

On Thu, Feb 22, 2001 at 06:03:53PM -0700, Ray Percival wrote:
> To solve this issue with Woody I just leave the line for the 
> stable security updates in my sources file. I get the security 
> updates before they are in Woody. Is there any reason this would 
> not be a good idea? 

Yeah.  It doesn't work.  What if stable has version 1.0 of a package,
woody and sid have 2.0.  A security hole is found in 2.0 and fixed in
2.1.  It gets backported to 1.0, but you're running 2.0 on testing so
apt-get won't install 1.0-fixed.  You need to either wait until 2.1
makes it to testing or fetch it from unstable.

This issue was basically overlooked in the creation of a testing tree,
and has come up many many times.  I think there needs to be a policy
update about it, but I haven't seen any talk of it on the policy list,
nor do I know of a quick solution that doesn't risk breaking testing
with possible incompatibilities.

| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpZz3dgL8U1J.pgp
Description: PGP signature

Reply to: