Re: Misunderstanding about normal (stable) and security channels

To: "Steffen Joeris" <steffen.joeris@skolelinux.de>
Cc: debian-security@lists.debian.org
Subject: Re: Misunderstanding about normal (stable) and security channels
From: "Frédéric PICA" <frederic.pica@gmail.com>
Date: Mon, 28 Jul 2008 15:20:56 +0200
Message-id: <d0e937440807280620i5103a1d1r281fdbd691229d1b@mail.gmail.com>
In-reply-to: <200807282250.08697.steffen.joeris@skolelinux.de>
References: <d0e937440807280515r7f6f9120x3f12bdedce7e1a71@mail.gmail.com> <200807282250.08697.steffen.joeris@skolelinux.de>

Ok, so this is the explanation.
I can understand this reason but in this case, I think that the
security FAQ http://www.debian.org/security/faq.en.html#policy needs
an update because it's clearly said that :
"Security breakage in the stable distribution warrants a package on
security.debian.org" [...] "The size of a breakage is not the real
problem here"
I understood that every security concerns, even minors one, have to go
in the security channel.

In the tool I'm developping, I rely on the package channel to know if
a package was installed because of a security concern or not (never
mind if this is a minor one or not)
and now I can't be sure of the update type.

Is there a more or less simple way to know a package type (security,
bugfix, ...) ?

I'm developping the same thing for RHEL5 and yum, here I can clearly
know the type of a package : Bugfix, Security or enhancement.
I think that this information is very important for businesses, at
least, it's important for us.

Any idea ?

2008/7/28 Steffen Joeris <steffen.joeris@skolelinux.de>:
> On Mon, 28 Jul 2008 10:15:02 pm Frédéric PICA wrote:
>> I didn't see proftpd in the security part of the 4.0r4 news.
>> The major version is still 4.0 and for me, a security update for this
>> version must still go into the security channel. It's logical to do
>> these sort of changes between two major versions, but not two minor.
>> I'm following stable, not 4.0r3 or r4.
>>
>> Is there another explanation ?
> Yes, not every security issue is severe enought to warrant a DSA. Some issues
> are considered as minor (for instance a lot of DoS attacks) and can be fixed
> via a stable update. The security tracker[0] normally indicates such issues
> with a <no-dsa> tag (see the * behind the issues).
> There is a list of issues that could be fixed via stable-proposed-update (a
> stable update upload area) in svn called /data/spu-candidates.txt .
>
> Cheers
> Steffen
>
>
> [0]: http://security-tracker.debian.net/tracker/status/release/stable
>
>

Reply to:

Follow-Ups:
- Re: Misunderstanding about normal (stable) and security channels
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>
- Re: Misunderstanding about normal (stable) and security channels
  - From: Michael Stone <mstone@debian.org>

References:
- Re: Re: Misunderstanding about normal (stable) and security channels
  - From: "Frédéric PICA" <frederic.pica@gmail.com>
- Re: Misunderstanding about normal (stable) and security channels
  - From: Steffen Joeris <steffen.joeris@skolelinux.de>

Prev by Date: Re: Misunderstanding about normal (stable) and security channels
Next by Date: Re: Misunderstanding about normal (stable) and security channels
Previous by thread: Re: Misunderstanding about normal (stable) and security channels
Next by thread: Re: Misunderstanding about normal (stable) and security channels
Index(es):
- Date
- Thread