[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Misunderstanding about normal (stable) and security channels

On Mon, 28 Jul 2008 10:15:02 pm Frédéric PICA wrote:
> I didn't see proftpd in the security part of the 4.0r4 news.
> The major version is still 4.0 and for me, a security update for this
> version must still go into the security channel. It's logical to do
> these sort of changes between two major versions, but not two minor.
> I'm following stable, not 4.0r3 or r4.
> Is there another explanation ?
Yes, not every security issue is severe enought to warrant a DSA. Some issues 
are considered as minor (for instance a lot of DoS attacks) and can be fixed 
via a stable update. The security tracker[0] normally indicates such issues 
with a <no-dsa> tag (see the * behind the issues).
There is a list of issues that could be fixed via stable-proposed-update (a 
stable update upload area) in svn called /data/spu-candidates.txt .


[0]: http://security-tracker.debian.net/tracker/status/release/stable

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: