Some clarifications about the Debian-security-HOWTO
From
http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s9.1.6
> When a security fix is prepared, packages are prepared for unstable
> and the patch is back ported to stable (since stable is usually some
> minor or major versions behind). Packages for the stable distribution
> are more thoroughly tested than unstable, since the latter might just
> provide the latest upstream release.
>
> Security updates are available immediately for both branches (but not
> yet for the testing branch).
But this is not always true. Sometimes the DSA reports "For the unstable
distribution (sid) these problems will be fixed soon."
Why this ? Ok, sometimes the sid package may need a longer testing
period, and maybe sometimes a maintainer (or the DST) can consider
preferable waiting for the packaging of a new upstream release, but are
these the only reasons ?
Are the fixes *always* be applied to sid packages and then backported ?
This method sounds a bit odd to me, especially when uploading in sid is
delayed until a new upstream version is packaged.
> If no (new) bugs are detected in the unstable version of the package,
> it moves to testing after several days (usually over a week). However,
> this does depend on the release state of the distribution.
Uploads that fix a security hole should have the priority set to high,
and this should reduce the transition delay to less than a week [1],
shouldn't it?
Ciao,
Gian Piero.
[1] Usually. I mean if no other problems, as dependencies or similar,
arise.
Reply to: