[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: updated debian development diagram -- comments?

Olaf Conradi <oohlaf@gmail.com> writes:

> On Sun, 09 Jan 2005 15:42:36 -0600, Ron Johnson <ron.l.johnson@cox.net> wrote:
>> On Sun, 2005-01-09 at 16:20 -0500, Tom Allison wrote:
>> > Ron Johnson wrote:
>> > > On Sun, 2005-01-09 at 15:04 +0100, Olaf Conradi wrote:
>> > >>Most of the development work that is done in Debian, is uploaded to
>> > >>this distribution. This distribution will never get released; instead,
>> > >>packages from it will propagate into testing and then into a real
>> > >>release. Security updates for "unstable" distribution are not managed
>> > >>by the security team.
>> > >
>> > > That is misleading.  Yes, the Security Team doesn't manage Sid,
>> > > but the maintainers themselves either patch or push thru new versions
>> > > from upstream.
>> >
>> > There's nothing misleading about it.
>> 
>> mislead != wrong
>> 
>> The statement "Security Team doesn't manage Sid" is true, but
>> someone who doesn't know Debian wouldn't know that Sid packages
>> get fixed, too.
>
> Well, just add a line describing it's the package maintainers decision
> on the timeliness of updates in unstable. The point was that security
> updates in unstable aren't done at high priority.

Why would you say that?  Just because security updates in unstable are
the maintainer's responsibility and not the security team's doesn't mean
they aren't given any less priority.


>> > It merely states the the Security Team doesn't manage the security
>> > updates for -unstable.  If there are major security holes in the Sid,
>> > there isn't anything which would require a short track security update.
>> >   If I were a developer managing a package which was found to have a
>> > security problem in all version, it stands to reason that Sid would be
>> > the lowest priority of the three.
>> >
>> > And as such there's no hard requirements that I do anything on a
>> > security fix basis to Sid.  For example, given a choice between a
>> > current version patch or a new version that's fixed, you would expect
>> > Stable and Testing to have the patches and Sid to have whatever I feel
>> > like putting into it.
>> 
>> That's wrong.
>> 
>> Packages filter into testing after being in Sid for some time.
>> Thus, Sid's versions will always get the patches first.
>
> That's not always true. If testing is already frozen and unstable
> contains newer development versions, then RC and security related bugs
> can go to testing-proposed-updates and bypass unstable.
>
> Or if unstable contains a higher version, one can upload the new
> testing version to unstable with a high priority. People tracking
> unstable will never see the update, because it has a lower upstream
> version.

I'm pretty sure that's not possible.  Even if it is, it should be
strongly discouraged.

-- 
For every sprinkle I find, I shall kill you!
Reply to: