On Tue, Apr 15, 2008 at 08:27:15PM +0200, Sven Joachim wrote: > On 2008-04-15 18:43 +0200, Andrew Sackville-West wrote: > > > On Tue, Apr 15, 2008 at 08:45:47AM +0200, Sven Joachim wrote: > >> It is true that sid users should generally check out for grave bugs and > >> security issues of packages they want to install, but the same holds for > >> testing. After all, buggy packages will not be removed quickly and an > >> update will first be available in unstable before it migrates to > >> testing. > > > > is it not true that _security_ patches migrate to testing through a > > different route than the one to sid? I kind of picture it like this: > > > > testing security team "finds" security bug, writes patch and pushes it > > to testing and (Probably?) passing it back upstream as well. THen > > upstream incorporates the fix and it works its way into sid through > > upstream's regular release cycle? > > In general, no. First, the testing security team also works as security > team for unstable: if the maintainer does not react in time and uploads > a fix himself, they usually upload directly to unstable as well. > > Secondly, they only upload to testing-security if the fixed package for > unstable is not expected to migrate quickly. You can see¹ that Iceweasel > has still an unfixed version in testing, while both stable and unstable > have the latest upstream version. Apparently it did not build on mips > and mipsel. > > > I suppose I should shut-up and start reading more about debian > > security... > > I'd recommend to start with http://testing-security.debian.net/, that > gives a good overview what this team is about. thanks. A
Attachment:
signature.asc
Description: Digital signature