[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sarge freeze and security updates



On Sun, 2003-02-23 at 19:25, Simon Huggins wrote:

> I don't see why people are worried about numbering for security patches
> for testing.  Why wouldn't they be done in the same way that security
> patches are done at the moment?  i.e 1.2.3-1.sarge.1 as the security fix
> for 1.2.3-1

Simple problem:

foo 1.2-1 is in stable
foo 1.3-1 in testing
foo 1.4-1 is in unstable

Security problem.

foo 1.2-1.woody.1 goes to stable
foo 1.3-1.sarge.1 goes to testing

unstable is not fixed because the security patch for 1.3 does not apply
cleanly, and anyway, it is expected that upsteam fixes this soon.

Now, foo 1.4-1 moves to testing with the security problem still unfixed.
Damn.

In other words: all security problems would have to be closely watched
for unstable, too, and this is not really possible. Yes, in many cases
it wouldn't happen because the fix goes to both stable and unstable, but
the case above will happen, and testing users with security updates
would feel a safety that they don't have.

cheers
-- vbi

-- 
Available for key signing in Zürich and Basel, Switzerland
                     (what's this? Look at http://fortytwo.ch/gpg/intro)

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: