Re: [SECURITY] [DSA 1438-1] New tar packages fix several vulnerabilities

[Jim Popovitch <yahoo@jimpop.com>]

On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote:
> On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote:
> > However, I cannot see any security announcement for most of these.  Were they 
> > updated because of the security fix for tar?  If yes, why doesn’t the 
> > security announcement mention that updated versions are available also for 
> > those packages?
> 
> see http://lists.debian.org/debian-announce/debian-announce-2007/msg00004.html

Martin,

First, I (and many others) appreciate your and everyone else's work on
Debian.   That said, I too am confused by the latest Debian 4.0 release.
It seems to me that, in the past, all Debian patches were released with
DSAs (why patch w/o a DSA?), and that further updates to the core
release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of
previously issued DSAs.   I don't recall new functionality ever being
added in a core release update bundle (although I could be wrong).  

Consider that some people, such as myself, only update servers based on
review of public DSA statements.  Yet now we find ourselves with
multiple days of updates to multiple pkgs, but no corresponding DSA
announcements to cross reference for validity (which can easily make one
suspect a mirror has been hacked).  

Since I'm not the only one confused by the recent updates, can we get
some clarification on this process please.  Specifically, is it
currently Debian policy to release non-critical pkg updates, i.e.
releases without DSAs, in periodic core release rollups? (is this new or
has it been so in the past?)  Could Debian be better served by calling
the rollup (including new non-critical updates) a new release (i.e 4.1)?

Thank you for helping to clarify.

-Jim P.