On Wed, Apr 28, 2004 at 04:55:29AM -0400, Raul Miller wrote: > On Tue, Apr 27, 2004 at 08:41:35PM -0500, Steve Langasek wrote: > > 1. that the amendments to the Social Contract contained within the > > General Resolution "Editorial Amendments To The Social Contract" > > (2004 vote 003) be immediately rescinded; > > 2. that these amendments, which have already been ratified by the Debian > > Project, will be reinstated effective as of September 1, 2004 without > > further cause for deliberation. > What about security fixes and other bug fixes for sarge? > While the content in question is generally stuff like documentation, > image data, firmware for auxilary hardware or the like, in most cases the > packages in question have not been factored such that the problematic > content is in a different package from the rest of the stuff. Worse, > in some cases the problematic content itself might have security problems. > iI believe one of the original motivations for the DFSG was to enable > us to address security issues and other critical problems in a timely > fashion. By and large, it does, but in this context it might have the > opposite afect. Since the impetus for this GR (and the larger discussion) has been our release manager's interpretation of the amended Social Contract, I admit I didn't give much thought to how it would apply to sarge post-release while drafting my proposal. I certainly agree it's important to find this out before the GR goes to vote. I've cc:ed our stable release manager, ftp-masters, and the security team, in the hopes that they'll offer some insight into their understanding of their own responsibilities for sarge if this GR passes. Thanks, -- Steve Langasek postmodern programmer > Possibilities: > * require another GR for security fixes -- bad because then > security fixes can't be made in a timely fashion. > * release such fixes in the form of some kind of "patch" which is > independent of our current dpkg infrastructure -- bad because this is > based on vaporware. > * change the language of the GR. > I'll grant that my informal proposal, mentioning sarge by name, is weaker > than the proposal mentioned by Steve Langasek. However, maybe it would > be a good idea to give a more relaxed deadline on security related updates > (and other grave or critical problems -- with perhaps the release manager's > team getting final say on whether severity assignments are appropriate)?
Description: Digital signature