On Thu, Oct 30, 2014 at 1:12 AM, Russell Stuart wrote: > On Wed, 2014-10-29 at 21:58 -0700, Russ Allbery wrote: >> Also, this means that you completely miss security advisories that *don't* >> involve changing a package in the archive, like "this thing is a disaster, >> so we're pulling it from the archive entirely and suggest you stop using >> it." > > If it is so that much of a disaster that it warrants pulling a package > from stable, surely a little more notification than an email to a list > most people don't monitor would be warranted? Something like replacing > it with an package that sends email daily to root explaining the > situation would be the very least you could do.
Just upgrading a package is not enough. Often enough services need restarted, and that information can be stated in the DSA. There are also end-of-life announcements, which maybe the debian-security-support package now addresses in a somewhat automated fashion. Anyway, it is entirely understandable that reading can be hard, but at a minimum the truly security-conscious need to be to do so. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=mo0dlhaotao7vjqnrluc5jaxqjrwcqr1f4vyrwyevz...@mail.gmail.com
