we really need to conflate this thread with the sidux one... On Tue, Apr 15, 2008 at 08:45:47AM +0200, Sven Joachim wrote: > On 2008-04-15 01:47 +0200, Douglas A. Tutty wrote: > > > On Mon, Apr 14, 2008 at 08:20:00PM +0200, David wrote: > > > >> comix - The version in Testing had security problems, so it was > >> removed automatically (however, the insecure version stayed in > >> Unstable). Almost a month later a fixed version was uploaded to stable > >> and 10 days later it moved to Testing. > > > > Everyone who thinks of using Sid needs to read and understand this > > paragraph. "However, the insecure version stayed in Unstable". Just > > because Sid includes the latest doesn't mean its the greatest. I don't > > think that, e.g. aptitude pops up a warning "WARNING: you are trying to > > install an insecure version of comix". > > It is true that sid users should generally check out for grave bugs and > security issues of packages they want to install, but the same holds for > testing. After all, buggy packages will not be removed quickly and an > update will first be available in unstable before it migrates to > testing. is it not true that _security_ patches migrate to testing through a different route than the one to sid? I kind of picture it like this: testing security team "finds" security bug, writes patch and pushes it to testing and (Probably?) passing it back upstream as well. THen upstream incorporates the fix and it works its way into sid through upstream's regular release cycle? I suppose I should shut-up and start reading more about debian security... A
Attachment:
signature.asc
Description: Digital signature