Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 11 Oct 2010 14:14:41 +0100, Ian Jackson wrote:
> Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities"):
> > DSA-2115-1 introduced a regression because it lacked a dependency on
> > the wwwconfig-common package, leading to installations problems. This
> > update addresses this issue. For reference, the text of the original
> > advisory is provided below.
> This is the second recent regression in a security update. I'm sure
> you'll all agree that this is bad. It's a shame, because Debian
> security updates have historically had a very good reputation.
> Is there anything that I could do to help with improving things to
> avoid this happening again ?
> A traditional approach might be to hold a postmortem to try to find
> the chain of events, identify root causes, and make recommendations
> (whether to the Security Team or to others in the project). Has
> anything like that been done in this case ?
The problem here appears to be the jump to the new upstream version
(1.8.2 to 1.8.13), which has a different dependency set. New
upstreams are usually disallowed in security uploads. The question
is why was that OK in this case, rather than the standard backporting