[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gnupg problem

Wichert Akkerman <wichert@wiggy.net> writes:

> Installing mailcrypt on security.debian.org would immediately suggest
> that mailcrypt itself has a security problem, which is not true.
> It's a bit of a catch 22.

Well, this is a general problem then, which the security team should
think about.  The fact that mailcrypt is in contrib means it's a
little less important in this particular case, but nontheless, it's a
real problem.

Debian is about a *distribution* and not a random assemblage of
.deb's.  The security team exists to support the rapid response to
security needs for the *distribution*, and not just one package.

So my premise is that a user who tracks stable and security should
benefit from security fixes.  When the security team does what was
done with gnupg, the *distribution* has not gotten decent security
support, even if one package has.

Perhaps one solution is to split the security archive into two pieces;
one for the actual packages that have security holes, and another for
other packages that must be installed on a stable system in order to
take advantage or otherwise use fully the former.

Thomas
Reply to: