[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposal - Deferment of Changes from GR 2004-003

On Wed, Apr 28, 2004 at 04:55:29AM -0400, Raul Miller wrote:
> On Tue, Apr 27, 2004 at 08:41:35PM -0500, Steve Langasek wrote:
> > 1. that the amendments to the Social Contract contained within the
> >    General Resolution "Editorial Amendments To The Social Contract"
> >    (2004 vote 003) be immediately rescinded;
> > 2. that these amendments, which have already been ratified by the Debian
> >    Project, will be reinstated effective as of September 1, 2004 without
> >    further cause for deliberation.

> What about security fixes and other bug fixes for sarge?

> While the content in question is generally stuff like documentation,
> image data, firmware for auxilary hardware or the like, in most cases the
> packages in question have not been factored such that the problematic
> content is in a different package from the rest of the stuff.  Worse,
> in some cases the problematic content itself might have security problems.

> iI believe one of the original motivations for the DFSG was to enable
> us to address security issues and other critical problems in a timely
> fashion.  By and large, it does, but in this context it might have the
> opposite afect.

Since the impetus for this GR (and the larger discussion) has been our
release manager's interpretation of the amended Social Contract, I admit
I didn't give much thought to how it would apply to sarge post-release
while drafting my proposal.  I certainly agree it's important to find
this out before the GR goes to vote.

I've cc:ed our stable release manager, ftp-masters, and the security
team, in the hopes that they'll offer some insight into their
understanding of their own responsibilities for sarge if this GR passes.

Steve Langasek
postmodern programmer

> Possibilities:

> * require another GR for security fixes -- bad because then
> security fixes can't be made in a timely fashion.

> * release such fixes in the form of some kind of "patch" which is
> independent of our current dpkg infrastructure -- bad because this is
> based on vaporware.

> * change the language of the GR.

> I'll grant that my informal proposal, mentioning sarge by name, is weaker
> than the proposal mentioned by Steve Langasek.  However, maybe it would
> be a good idea to give a more relaxed deadline on security related updates
> (and other grave or critical problems -- with perhaps the release manager's
> team getting final say on whether severity assignments are appropriate)?

Attachment: signature.asc
Description: Digital signature

Reply to: