Re: Security updates without DSA?
Matt Zimmerman <firstname.lastname@example.org> writes:
> On Mon, Sep 30, 2002 at 10:57:18AM +0900, Olaf Meeuwissen wrote:
> > Olaf Meeuwissen <email@example.com> (that's me!) writes:
> > > Dear .debs,
> > >
> > > I recently wanted to apply security updates to a machine I'd installed
> > > from woody pre6 CDs, hardened and upgraded to woody proper. [...]
> > >
> > > Before applying the upgrades I checked whether there was a DSA for the
> > > packages that were going to be upgraded. Surprise, there were several
> > > that did not (seem to) have a corresponding DSA.
> > >
> > > Question: Is that normal and OK?
> This is normal in general, as the stable distribution is updated from time
> to time by point releases, which fix critical non-security bugs. However,
> woody has not received such an update as yet.
I'd say critical non-security bug fixes should go to proposed-updates,
but that's debatable. Nevertheless, I'd expect a DSA for everything
that ends up in
deb http://security.debian.org/ stable/updates main
> > I looked into this a bit more and from the changelogs it seems that it
> > really concerned security upgrades. In the case of fetchmail-ssl, the
> > woody release shipped with 5.9.11-5, the upgrade is 5.9.11-6 and the
> > changelog says:
> Why do you say that woody released with 5.9.11-5? I believe woody released
> with 5.9.11-6. Perhaps you did not upgrade all packages to the final woody
> versions, and you had an older version from 'testing'?
5.9.11-6 is both in the Packages file for woody and the security
updates as I noted in another mail to the list. This got me mixed up.
> > For the KDE packages I found out that they all come from the same
> > source package: kdenetwork. The woody release shipped 4:2.2.2-14, the
> > upgrade is 4:2.2.2-14.0woody1 and the changelog says:
> > [...]
> Likewise here.
I (as well as Peter Mathiasson in his) see 4:2.2.2-14 in my Packages
file for woody. security.d.o has 4:2.2.2-14.0woody1. For the record,
I apt-get update'd yesterday from ftp.jp.debian.org, a primary mirror.
Olaf Meeuwissen EPSON KOWA Corporation, ECS
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90
LPIC-2 -- I hack, therefore I am -- BOFH