Re: Odp: Re: Debian 2.2 and security - SecurityPortal article
Leszek.Gerwatowski@tpi.pl wrote:
> But this guy talks about security holes just by checking package version
> numbers! He dosn't look what has been done with package (debian specific
> changes including backported fixes for security holes). I often wrote
> maintainers that Debian should implement right package versions. For
> example: package in Debian has number 1.4-1. Security hole is discovered
> and it's fixed in normal 1.5 version. But when this package (1.4-1) is in
> "frozen state" there is no posibility to generate package 1.5-1 and put it
> into frozen. So maintainer backports security fix and makes package 1.4-2
> which has no security hole.
That is *not* why we backport security holes.
Let's look at apache. A security hole is discovered in apache. Debian
has a current version (1.3.9) in it already. The apache team releases
1.3.10, with a fix for the security hole. And 70 other, unrelated,
changes.
Now, is it safer to backport the fix to 1.3.9, or to just shove all
those changes into frozen? You wanted us to release *when*?
BTW, this is a real life example.
> But for guy like this writer (and for many
> normal users) this package has security hole. Not so many look at the
> changelogs or try exploits
Anyone who makes accusations in print without checking their facts is a
fool. There are a *lot* of fools in the media.
Debian publishes security advisories for a reason. Debian has a security
website for a weason. Debian packages have changelogs for a reason. It's
not as if this information is hard to find.
--
see shy jo
Reply to: