Re: [SECURITY] [DSA 945-1] New antiword packages fix insecure temporary file creation
On Tue, Jan 17, 2006 at 07:59:45PM +0100, Florian Weimer wrote:
> * Martin Schulze:
>
> > For the stable distribution (sarge) these problems have been fixed in
> > version 0.35-2sarge1.
>
> I would have expected a version like 0.35-1sarge1. The version you
> have chosen violated an implicit constraint fulfilled by most (all?)
> security updates: the version of a package update in stable is less
> than any version uploaded to unstable since stable was branched.
>
> AFAICS, this rule is quite reasonable, so I assume that this antiword
> version is just a minor glitch. Correct?
It's weird that antiword's security update was seeminly[1] based on the
testing version, rather than the stable version:
antiword | 0.35-1 | stable | source
antiword | 0.35-2 | testing | source
But anyway, there is a version propagation mechanism in place to make
sure that the constraint that stable <= testing <= unstable is
preserved. This mechanism also took effect this time:
antiword | 0.35-2sarge1 | proposed-updates | source
antiword | 0.35-2sarge1 | testing-proposed-updates | source
antiword | 0.35-2sarge1 | unstable | source
So after the version in testing-p-u is accepted by an RM, this condition
will hold again. This mechanism is required because if testing ==
stable, this should not prevent security updates from happening at all.
A temporary inconsistency like this is preferred over not having
security updates end up in proposed-updates at all due to version
constraints. In this case though, stable != testing, so indeed there
could have been chosen a version between the current stable and testing
versions, so that this propagation mechanism wouldn't have needed to
jump in.
--Jeroen
[1] Looking exclusively at the version numbering
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
Reply to: