Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities
On Mon, 11 Oct 2010 14:14:41 +0100, Ian Jackson wrote:
> Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities"):
> > DSA-2115-1 introduced a regression because it lacked a dependency on
> > the wwwconfig-common package, leading to installations problems. This
> > update addresses this issue. For reference, the text of the original
> > advisory is provided below.
>
> This is the second recent regression in a security update. I'm sure
> you'll all agree that this is bad. It's a shame, because Debian
> security updates have historically had a very good reputation.
>
> Is there anything that I could do to help with improving things to
> avoid this happening again ?
>
> A traditional approach might be to hold a postmortem to try to find
> the chain of events, identify root causes, and make recommendations
> (whether to the Security Team or to others in the project). Has
> anything like that been done in this case ?
The problem here appears to be the jump to the new upstream version
(1.8.2 to 1.8.13), which has a different dependency set. New
upstreams are usually disallowed in security uploads. The question
is why was that OK in this case, rather than the standard backporting
approach?
Best wishes,
Mike
Reply to: