On Tue, Sep 01, 2009 at 11:14:04PM +0200, Julien Cristau wrote: > On Tue, Sep 1, 2009 at 14:06:17 -0700, Steve Langasek wrote:
> > On Tue, Sep 01, 2009 at 11:39:40AM +0200, Julien Cristau wrote: > > > On Sun, Aug 30, 2009 at 23:38:17 +0200, Lucas Nussbaum wrote: > > > > That's unfortunate. Imagine the following scenario: > > > > 1. Package P is released in sarge, with version 1.0-1. > > > > 2. Package P is installed on a system S, running sarge. > > > > 3. etch is released with P 1.0-1. > > > > 4. A security bug is found in P. > > > Does this actually happen? How often? > > Often enough that it's been discussed repeatedly over the years; not often > > enough that anyone has fixed it. :) > Every time I've seen it discussed, it was by people who aren't part of > the security team, and so far the security team seem to say it's not a > concern for them, so for all I know it may just be theoretical… Binary packages with the exact same version between etch and lenny: $ zgrep -h Filename dists/{etch,lenny}/main/binary-i386/Packages.gz | sort | uniq -d | wc -l 1838 $ Source packages at the same version between etch and lenny (which may include source packages that have been incremented only by a binNMU version): $ zgrep -h ' .*\.dsc' dists/{etch,lenny}/main/source/Sources.gz | sort | uniq -d | wc -l 1630 $ This represents roughly 10% of the binaries in main, and roughly 16% of the sources. $ for src in $( zgrep -h ' .*\.dsc' ../../dists/{etch,lenny}/main/source/Sources.gz | sort | uniq -d | sed -e's/.* //; s/_.*//' ); do zcat dists/lenny/updates/main/source/Sources.gz | grep-dctrl -FPackage -sPackage -X $src done $ So no actual source packages that have had this problem for etch and lenny, interestingly enough. I thought there had been one in the sarge timeframe; but I'm not going to go digging any farther to confirm this. Yes, the problem is more or less theoretical. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature