Re: [Secure-testing-team] Security support for volatile?
* Kurt Roeckx:
>> For ClamAV and ClamAV-derived packages, I'd prefer to see uploads of
>> new upstream versions to stable-security or stable-proposed-updates
>> (that is, remove it from volatile).
>
> I think one the reason why clamav is in volatile is that the engine
> might need updating to detect new viruses. Is that something you
> want to support in stable-security?
Yes, I think it would make sense. Over time, it becomes increasingly
onerous to provide backported patches for clamav, and there is little
benefit (maybe except for cases where clamav is solely used as a spam
filter). I also think that providing security support for volatile
makes sense, and I've been wondering if it makes sense to kill two
birds with one stone, so to speak.
Of course, there's the slight issue that some maintainers will
complain loudly because they still can't upload new upstream versions
for their packages. 8-) I guess this is something we have to deal with
for the benefit of our users, though.
> I don't think an upload only to stable-proposed-updates is something
> we want for that, since it might take a long time until the next
> point release.
On the other hand, we want quite a bit of testing before we push out a
new version. I don't really want to tie new major upstream version to
a security update. So perhaps there's still a reason to upload newer
versions to volatile, and we will just base security updates off that
(similiar to what we currently do with stable-proposed-updates in most
applicable cases)?
Reply to: