Re: Misunderstanding about normal (stable) and security channels
Ok, so this is the explanation.
I can understand this reason but in this case, I think that the
security FAQ http://www.debian.org/security/faq.en.html#policy needs
an update because it's clearly said that :
"Security breakage in the stable distribution warrants a package on
security.debian.org" [...] "The size of a breakage is not the real
I understood that every security concerns, even minors one, have to go
in the security channel.
In the tool I'm developping, I rely on the package channel to know if
a package was installed because of a security concern or not (never
mind if this is a minor one or not)
and now I can't be sure of the update type.
Is there a more or less simple way to know a package type (security,
bugfix, ...) ?
I'm developping the same thing for RHEL5 and yum, here I can clearly
know the type of a package : Bugfix, Security or enhancement.
I think that this information is very important for businesses, at
least, it's important for us.
Any idea ?
2008/7/28 Steffen Joeris <firstname.lastname@example.org>:
> On Mon, 28 Jul 2008 10:15:02 pm Frédéric PICA wrote:
>> I didn't see proftpd in the security part of the 4.0r4 news.
>> The major version is still 4.0 and for me, a security update for this
>> version must still go into the security channel. It's logical to do
>> these sort of changes between two major versions, but not two minor.
>> I'm following stable, not 4.0r3 or r4.
>> Is there another explanation ?
> Yes, not every security issue is severe enought to warrant a DSA. Some issues
> are considered as minor (for instance a lot of DoS attacks) and can be fixed
> via a stable update. The security tracker normally indicates such issues
> with a <no-dsa> tag (see the * behind the issues).
> There is a list of issues that could be fixed via stable-proposed-update (a
> stable update upload area) in svn called /data/spu-candidates.txt .
> : http://security-tracker.debian.net/tracker/status/release/stable