Re: Security updates without DSA?

To: Matt Zimmerman <mdz@debian.org>
Cc: debian-security@lists.debian.org, security@debian.org
Subject: Re: Security updates without DSA?
From: Olaf Meeuwissen <olaf@epkowa.co.jp>
Date: 01 Oct 2002 08:56:46 +0900
Message-id: <[🔎] 87k7l3rpz5.fsf@frodo.epkowa.co.jp>
In-reply-to: <[🔎] 20020930205400.GI14444@alcor.net>
References: <[🔎] 87hegd63eu.fsf_-_@frodo.epkowa.co.jp> <[🔎] 87adm0me81.fsf@frodo.epkowa.co.jp> <[🔎] 20020930205400.GI14444@alcor.net>

Matt Zimmerman <mdz@debian.org> writes:

> On Mon, Sep 30, 2002 at 10:57:18AM +0900, Olaf Meeuwissen wrote:
> 
> > Olaf Meeuwissen <olaf@epkowa.co.jp> (that's me!) writes:
> > 
> > > Dear .debs,
> > > 
> > > I recently wanted to apply security updates to a machine I'd installed
> > > from woody pre6 CDs, hardened and upgraded to woody proper.  [...]
> > > 
> > > Before applying the upgrades I checked whether there was a DSA for the
> > > packages that were going to be upgraded.  Surprise, there were several
> > > that did not (seem to) have a corresponding DSA.
> > > 
> > > Question: Is that normal and OK?
> 
> This is normal in general, as the stable distribution is updated from time
> to time by point releases, which fix critical non-security bugs.  However,
> woody has not received such an update as yet.

I'd say critical non-security bug fixes should go to proposed-updates,
but that's debatable.  Nevertheless, I'd expect a DSA for everything
that ends up in

  deb http://security.debian.org/ stable/updates main

> > I looked into this a bit more and from the changelogs it seems that it
> > really concerned security upgrades.  In the case of fetchmail-ssl, the
> > woody release shipped with 5.9.11-5, the upgrade is 5.9.11-6 and the
> > changelog says:
> 
> Why do you say that woody released with 5.9.11-5?  I believe woody released
> with 5.9.11-6. Perhaps you did not upgrade all packages to the final woody
> versions, and you had an older version from 'testing'?

5.9.11-6 is both in the Packages file for woody and the security
updates as I noted in another mail to the list.  This got me mixed up.

> > For the KDE packages I found out that they all come from the same
> > source package: kdenetwork.  The woody release shipped 4:2.2.2-14, the
> > upgrade is 4:2.2.2-14.0woody1 and the changelog says:
> > [...]
> 
> Likewise here.

I (as well as Peter Mathiasson in his) see 4:2.2.2-14 in my Packages
file for woody.  security.d.o has 4:2.2.2-14.0woody1.  For the record,
I apt-get update'd yesterday from ftp.jp.debian.org, a primary mirror.

-- 
Olaf Meeuwissen                            EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH

Reply to:

References:
- Security updates without DSA?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: Security updates without DSA?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: Security updates without DSA?
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: Security updates without DSA?
Previous by thread: Re: Security updates without DSA?
Next by thread: Re: How reliable is "debsums"?
Index(es):
- Date
- Thread