Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities
Jim Popovitch wrote:
> On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote:
>> On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote:
>>> However, I cannot see any security announcement for most of these. Were they
>>> updated because of the security fix for tar? If yes, why doesn’t the
>>> security announcement mention that updated versions are available also for
>>> those packages?
>> see http://lists.debian.org/debian-announce/debian-announce-2007/msg00004.html
> First, I (and many others) appreciate your and everyone else's work on
> Debian. That said, I too am confused by the latest Debian 4.0 release.
> It seems to me that, in the past, all Debian patches were released with
> DSAs (why patch w/o a DSA?), and that further updates to the core
> release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of
> previously issued DSAs. I don't recall new functionality ever being
> added in a core release update bundle (although I could be wrong).
> Consider that some people, such as myself, only update servers based on
> review of public DSA statements. Yet now we find ourselves with
> multiple days of updates to multiple pkgs, but no corresponding DSA
> announcements to cross reference for validity (which can easily make one
> suspect a mirror has been hacked).
> Since I'm not the only one confused by the recent updates, can we get
> some clarification on this process please. Specifically, is it
> currently Debian policy to release non-critical pkg updates, i.e.
> releases without DSAs, in periodic core release rollups? (is this new or
> has it been so in the past?) Could Debian be better served by calling
> the rollup (including new non-critical updates) a new release (i.e 4.1)?
No, the updates you are seeing are release critical, but not perse
security related. DSAs only cover severe security issues, a point
release covers both DSAs and other release critical package updates.
This has always been the case, though currently we probably try to fix
more release critical issues than in the past.
Every point release is announced on firstname.lastname@example.org
including the list of updated packages and a reason why they are updated.