Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities
On Sun, Jul 25, 2004 at 11:54:56PM +0200, Hilko Bengen wrote:
> Matt Zimmerman <firstname.lastname@example.org> writes:
> > On Thu, Jul 22, 2004 at 04:25:30PM +0200, Hilko Bengen wrote:
> >> Why has a new Debian version been introduced? Previous security
> >> fixes followed a numbering scheme 4.1.2-6woody$i, the last version
> >> being 4.1.2-6woody3.
> > That scheme is used for non-maintainer uploads. The maintainer
> > prepared this package, however, and chose to use 4.1.2-7.
> This is the first time I noticed the Debian version being bumped... I
> see a potential (general) problem with this: 4.1.2-7 might have
> existed in both Woody and Sarge and reflected different states of the
> package in each distribution.
> I haven't checked whether this has been the case and, given that PHP
> has evolved quite a bit since Woody was released, it might not have
> mattered much in this particular case. But if Debian manages to
> release more often in the future and less-frequently updated packages
> are treated like this, we might run into confusion.
Selecting an appropriate version number is part of the security update
process, and includes checking that it is unique.