[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#321896: Incorrect security info on AMD64 page



Package: www.debian.org
Version: n/a

The security support for the AMD64 port is still (apparently) not
in place.  However the only information on www.debian.org says that
it is.  Following the instructions provided on the site is dangerous
because no security updates will be applied.

Specifically, this page:
 http://www.debian.org/ports/amd64/

says:

 "The stable release of the unofficial port is based on unpatched Sarge
  sources and has full security support by the Debian Security Team. The
  Debian-Backports and -Volatile services are fully supported, too.

 ...

 The Debian Security Team supports updates to the unofficial Sarge
 release, which are made available on security.debian.org."

Suggested correction is to put all of the "official" wording in future
tense ("will support updates ..."), and the add the correct location to
give apt to obtain the fixes now.

Additionally, the correct location can not be found by searching
debian.org for announcements.  The last announcement on the subject
(from _May_ of 2005) says the same as the AMD64 port page: go to
security.debian.org.  I had to ask on LWN to get the real answer.
Another reader responded:

 http://lwn.net/Articles/144530/

"Goswin von Brederlow answered this question in
 http://lists.debian.org/debian-amd64/2005/07/msg00347.html.

 'We are waiting on James Troup to activate amd64 on the security
  servers. The buildd is otherwise setup and running.

  For the time being all security builds are uploaded to
  sarge-proposed-updates on amd64.debian.net and people should add
  that to the sources.list for now and just till sec.d.o gets
  reconfigured for us.'
"

That mailing list post was a month ago.  It doesn't appear the
security servers will activate amd64 any time soon so it would be
better to update the documentation to not point to them for AMD64.

Thanks,
-Ross




Reply to: