[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security updates without DSA?

Matt Zimmerman <mdz@debian.org> writes:

> On Mon, Sep 30, 2002 at 10:57:18AM +0900, Olaf Meeuwissen wrote:
> > Olaf Meeuwissen <olaf@epkowa.co.jp> (that's me!) writes:
> > 
> > > Dear .debs,
> > > 
> > > I recently wanted to apply security updates to a machine I'd installed
> > > from woody pre6 CDs, hardened and upgraded to woody proper.  [...]
> > > 
> > > Before applying the upgrades I checked whether there was a DSA for the
> > > packages that were going to be upgraded.  Surprise, there were several
> > > that did not (seem to) have a corresponding DSA.
> > > 
> > > Question: Is that normal and OK?
> This is normal in general, as the stable distribution is updated from time
> to time by point releases, which fix critical non-security bugs.  However,
> woody has not received such an update as yet.

I'd say critical non-security bug fixes should go to proposed-updates,
but that's debatable.  Nevertheless, I'd expect a DSA for everything
that ends up in

  deb http://security.debian.org/ stable/updates main

> > I looked into this a bit more and from the changelogs it seems that it
> > really concerned security upgrades.  In the case of fetchmail-ssl, the
> > woody release shipped with 5.9.11-5, the upgrade is 5.9.11-6 and the
> > changelog says:
> Why do you say that woody released with 5.9.11-5?  I believe woody released
> with 5.9.11-6. Perhaps you did not upgrade all packages to the final woody
> versions, and you had an older version from 'testing'?

5.9.11-6 is both in the Packages file for woody and the security
updates as I noted in another mail to the list.  This got me mixed up.

> > For the KDE packages I found out that they all come from the same
> > source package: kdenetwork.  The woody release shipped 4:2.2.2-14, the
> > upgrade is 4:2.2.2-14.0woody1 and the changelog says:
> > [...]
> Likewise here.

I (as well as Peter Mathiasson in his) see 4:2.2.2-14 in my Packages
file for woody.  security.d.o has 4:2.2.2-14.0woody1.  For the record,
I apt-get update'd yesterday from ftp.jp.debian.org, a primary mirror.

Olaf Meeuwissen                            EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2               -- I hack, therefore I am --                 BOFH

Reply to: