[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press related to (missing) Debian security

On Monday 27 June 2005 20:39, Marek Olejniczak wrote:
I don't understand the philosophy of Debian security team. It's really
so difficult to push into sarge spamassassin 3.0.4 which is not
vulnerable? This version is in Debian testing and why this version
can't be push into stable?

Seems that you don't understand the philosophy of the 'stable' release
either. The basic rule for stable is: "no new upstream versions allowed".
This means security updates for spamassassin need to be backported to
3.0.3 (excluding any functional changes).

Even if 3.0.4 contains only the security fix, it will still be backported
and released as 3.0.3-1sarge1 or something like that.

For me "stable distribution" means "secure". Is now Sarge secure? No, it isn't! Four weeks after new release of Debian, Sarge has many security holes in packages and kernel, and some of this holes are critical. In my opinion Sarge isn't stable distribution now, it's dangerous distribution.


Reply to: