[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#321896: marked as done (Incorrect security info on AMD64 page)



Your message dated Mon, 8 Aug 2005 08:47:19 +0100
with message-id <1e0501c59bed$67839c00$eb00010a@andromeda>
and subject line Bug#321896: Incorrect security info on AMD64 page
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Aug 2005 01:16:02 +0000
>From rocombs@hongkong.cs.nmsu.edu Sun Aug 07 18:16:02 2005
Return-path: <rocombs@hongkong.cs.nmsu.edu>
Received: from hongkong.cs.nmsu.edu [128.123.64.160] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E1wFG-0006KD-00; Sun, 07 Aug 2005 18:16:02 -0700
Received: from hongkong.cs.nmsu.edu (IDENT:1236@localhost [127.0.0.1])
	by hongkong.cs.nmsu.edu (8.12.11/8.12.11) with ESMTP id j781Fuo5008210;
	Sun, 7 Aug 2005 19:16:01 -0600
Received: (from rocombs@localhost)
	by hongkong.cs.nmsu.edu (8.12.11/8.12.11/Submit) id j781FuS1008209;
	Sun, 7 Aug 2005 20:15:56 -0500
From: Ross Combs <rocombs@cs.nmsu.edu>
Date: Sun, 07 Aug 2005 20:15:56 -0500
To: submit@bugs.debian.org
Subject: Incorrect security info on AMD64 page
Message-ID: <42F6B24C.mail6AB1OITG3@hongkong>
User-Agent: nail 10.7 3/19/04
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: www.debian.org
Version: n/a

The security support for the AMD64 port is still (apparently) not
in place.  However the only information on www.debian.org says that
it is.  Following the instructions provided on the site is dangerous
because no security updates will be applied.

Specifically, this page:
 http://www.debian.org/ports/amd64/

says:

 "The stable release of the unofficial port is based on unpatched Sarge
  sources and has full security support by the Debian Security Team. The
  Debian-Backports and -Volatile services are fully supported, too.

 ...

 The Debian Security Team supports updates to the unofficial Sarge
 release, which are made available on security.debian.org."

Suggested correction is to put all of the "official" wording in future
tense ("will support updates ..."), and the add the correct location to
give apt to obtain the fixes now.

Additionally, the correct location can not be found by searching
debian.org for announcements.  The last announcement on the subject
(from _May_ of 2005) says the same as the AMD64 port page: go to
security.debian.org.  I had to ask on LWN to get the real answer.
Another reader responded:

 http://lwn.net/Articles/144530/

"Goswin von Brederlow answered this question in
 http://lists.debian.org/debian-amd64/2005/07/msg00347.html.

 'We are waiting on James Troup to activate amd64 on the security
  servers. The buildd is otherwise setup and running.

  For the time being all security builds are uploaded to
  sarge-proposed-updates on amd64.debian.net and people should add
  that to the sources.list for now and just till sec.d.o gets
  reconfigured for us.'
"

That mailing list post was a month ago.  It doesn't appear the
security servers will activate amd64 any time soon so it would be
better to update the documentation to not point to them for AMD64.

Thanks,
-Ross


---------------------------------------
Received: (at 321896-done) by bugs.debian.org; 8 Aug 2005 07:47:52 +0000
>From debian-www@adam-barratt.org.uk Mon Aug 08 00:47:52 2005
Return-path: <debian-www@adam-barratt.org.uk>
Received: from mail0.avcosystems.co.uk [195.224.236.86] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E22MS-0000ov-00; Mon, 08 Aug 2005 00:47:52 -0700
Received: from lexx.avco ([192.168.0.1] helo=andromeda)
	by mail0.avcosystems.co.uk with esmtp (Exim 4.52 #1 (Debian))
	id 1E22Lv-00044N-QD; Mon, 08 Aug 2005 08:47:19 +0100
Received: from 127.0.0.1 (AVG SMTP 7.0.338 [267.10.2]); Mon, 08 Aug 2005 08:47:19 +0100
Message-ID: <1e0501c59bed$67839c00$eb00010a@andromeda>
From: "Adam D. Barratt" <debian-www@adam-barratt.org.uk>
To: "Ross Combs" <rocombs@cs.nmsu.edu>,
	<321896-done@bugs.debian.org>
Cc: <debian-www@lists.debian.org>
References: <42F6B24C.mail6AB1OITG3@hongkong>
Subject: Re: Bug#321896: Incorrect security info on AMD64 page
Date: Mon, 8 Aug 2005 08:47:19 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-AVCO-Scan-Signature: 6b9ed759886a02dbb61b8c3cb8a7d253
Delivered-To: 321896-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_20,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

On Monday, August 08, 2005 2:15 AM, Ross Combs <rocombs@cs.nmsu.edu> wrote:

> The security support for the AMD64 port is still (apparently) not
> in place.

This is not the case - see
http://lists.debian.org/debian-devel-announce/2005/08/msg00001.html

[...]
> "Goswin von Brederlow answered this question in
>  http://lists.debian.org/debian-amd64/2005/07/msg00347.html.
>
>  'We are waiting on James Troup to activate amd64 on the security
>   servers. The buildd is otherwise setup and running.

That may well have been the case in early July. It has not been the case
since at least last week, when the announcement was made.

> That mailing list post was a month ago.  It doesn't appear the
> security servers will activate amd64 any time soon so it would be
> better to update the documentation to not point to them for AMD64.

The security team and the ftpmaster of amd64.debian.net disagree on both
points, as per the d-d-a post I referred to earlier. Therefore I'm closing
this report.

(Indeed
http://security.debian.org/debian-security/dists/stable/updates/main/
already contains a binary-amd64 folder, although admittedly it currently
only contains arch-all packages)

Regards,

Adam



Reply to: