[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Misunderstanding about normal (stable) and security channels

I didn't see proftpd in the security part of the 4.0r4 news.
The major version is still 4.0 and for me, a security update for this
version must still go into the security channel. It's logical to do
these sort of changes between two major versions, but not two minor.
I'm following stable, not 4.0r3 or r4.

Is there another explanation ?

Best regards,
Frédéric PICA

>On Mon, 2008-07-28 at 10:43 +0200, Frédéric PICA wrote:
>> Greetings,
>> As I have understood on
>> http://www.debian.org/security/faq.en.html#policy , every security
>> bugfix packages goes into the debian-security channel but recently I
>> saw an update to the proftpd package (on etch) in the debian/stable
>> channel.
>> I thought it was a bugfix but when I looked into the changelog
>> http://packages.debian.org/changelogs/pool/main/g/glibc/glibc_2.3.6.ds1-13etch7/changelog
>> I saw that this is not a bugfix but a security bugfix, closing
>> CVE-2007-2165.
>> Why does this package was uploaded to the normal etch channel and not
>> into the security one ? Every security package concerns must go into
>> the security channel, no ?
>> I rely on the package channel to know if this is a normal or a
>> security bugfix in a plugin I'm currently developping (and soon
>> releasing on sourceforce) for apt.
>> Best regards,
>> Frédéric PICA
>I suspect because of Etch's latest update (4.0r4).
>Karl Goetz,
>Debian user / Ubuntu contributor / gNewSense contributor

Reply to: