Re: Bad press related to (missing) Debian security
On Monday 27 June 2005 20:39, Marek Olejniczak wrote:
I don't understand the philosophy of Debian security team. It's really
so difficult to push into sarge spamassassin 3.0.4 which is not
vulnerable? This version is in Debian testing and why this version
can't be push into stable?
Seems that you don't understand the philosophy of the 'stable' release
either. The basic rule for stable is: "no new upstream versions allowed".
This means security updates for spamassassin need to be backported to
3.0.3 (excluding any functional changes).
Even if 3.0.4 contains only the security fix, it will still be backported
and released as 3.0.3-1sarge1 or something like that.
For me "stable distribution" means "secure". Is now Sarge secure?
No, it isn't! Four weeks after new release of Debian, Sarge has many
security holes in packages and kernel, and some of this holes are
critical. In my opinion Sarge isn't stable distribution now, it's