Re: Security updates without DSA?

[Olaf Meeuwissen <olaf@epkowa.co.jp>]

Peter Mathiasson <peter@mathiasson.nu> writes:

> On Mon, Sep 30, 2002 at 10:57:18AM +0900, Olaf Meeuwissen wrote:
> >   fetchmail (5.9.11-6) testing-security; urgency=high
> >    -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat,  8 Jun 2002 09:40:46 -0300
> 
> >   kdenetwork (4:2.2.2-14.0woody1) testing-security; urgency=high
> >    -- Daniel Jacobowitz <dan@debian.org>  Sun,  7 Jul 2002 14:12:03 -0400
> > 
> > So we have one maintainer and one security team upgrade for the woody
> > distribution that have never been publicly announced.  From the looks
> > of it, it would seem that these upgrades somehow got lost (them being
> > upgrades to *testing*).  I am aware of the fact that security for the
> > testing distribution is non-existent, but as woody is now stable, I'd
> > say these are security issues for the stable distribution and should
> > probably be announced (even if it's a bit late).
> 
> Theese packages were added to woody before the release.
> 
> Using a woody Packages file...
> 
> $ grep-dctrl -F Package -s Package,Version fetchmail Packages
> 
> Package: fetchmail-ssl
> Version: 5.9.11-6

I double checked and you are right about this one.  It's in my woody
Packages file, but it is also in my Packages file for the security
updates to stable.  Since the sources.list has security.d.o as its
very first entry, the download was from security.d.o and apt-get
showed the package as coming from Debian/Security (or whatever it
exactly says).

> $ grep-dctrl -F Source -s Package,Version kdenetwork Packages
> Package: kdict
> Version: 4:2.2.2-14

On this one you are wrong.  The security upgrade is 4:2.2.2-14.0woody1
which is not in the woody Packages file as your grep-dctrl clearly
shows.
-- 
Olaf Meeuwissen                            EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH