[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some clarifications about the Debian-security-HOWTO

On Fri, Feb 20, 2004 at 01:14:43PM +0100, Gian Piero Carrubba wrote:

> From
> http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s9.1.6
> > When a security fix is prepared, packages are prepared for unstable
> > and the patch is back ported to stable (since stable is usually some
> > minor or major versions behind). Packages for the stable distribution
> > are more thoroughly tested than unstable, since the latter might just
> > provide the latest upstream release.
> > 
> > Security updates are available immediately for both branches (but not
> > yet for the testing branch).
> But this is not always true. Sometimes the DSA reports "For the unstable
> distribution (sid) these problems will be fixed soon."

This is misleading.  Security fixes for stable are prepared by the security
team, while security fixes for unstable are usually prepared by the package
maintainer (often by incorporating a new upstream release).  Sometimes they
happen at nearly the same time, and sometimes they do not.

> > If no (new) bugs are detected in the unstable version of the package, it
> > moves to testing after several days (usually over a week). However, this
> > does depend on the release state of the distribution.
> Uploads that fix a security hole should have the priority set to high, and
> this should reduce the transition delay to less than a week [1], shouldn't
> it?

It will reduce the best-case delay, but if the package is blocked from
entering testing by its dependency relationships, the urgency does not
change that.

 - mdz

Reply to: