[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities

Matt Zimmerman <mdz@debian.org> writes:

> On Sun, Jul 25, 2004 at 11:54:56PM +0200, Hilko Bengen wrote:
>> I haven't checked whether this has been the case and, given that
>> PHP has evolved quite a bit since Woody was released, it might not
>> have mattered much in this particular case. But if Debian manages
>> to release more often in the future and less-frequently updated
>> packages are treated like this, we might run into confusion.
> Selecting an appropriate version number is part of the security
> update process, and includes checking that it is unique.

I imagine that some work on these checks could be saved if security
updates generally used a scheme like ${LAST_USED_VERSION}woody${N}. 
(BTW, what is the quickest/best way to determine if a version number
has been used before?) This would not help in the rare case where a
fix can't be backported, of course.

Is this part of the the procedure for security updates documented
anywhere? I didn't find it in the Debian Policy.

Thanks for your clarification, anyhow. :-)


Reply to: