On Wed, May 14, 2003 at 07:12:15PM -0400, Joey Hess wrote: > So here's an alternative that would actually work: > > Take the harden package, or create something similar: a package that > conflicts with all versions of packages with known security holes. Note > that harden currently does not track all security holes; it has been > released only twice in the past 6 months and the last update for security > conflicts seems to have been in August. > > Upload each new release of this package (should be arch: all) to > unstable with urgency=critical. It will enter testing in two days each > time. You might eventually arrange something special with AJ that gets > it into testing with no delay at all, but that's more likely to hapen > once the thing is already in place, and users are already using it, and > we know it actually helps the state of testing and security. > > So -- promote the hell out of it. Post to debian-announce, get it added > to the description of testing on the web site, post an article to debian > planet, and to debian-user. Make sure users know about it and install it > when using testing. > > Doesn't seem that hard..
A very interesting idea, and would require perhaps the minimum possible effort on the part of the promoter. No patches, nor backports, nor separate repository; only a bit of bookkeeping. If no one will step forward to do even this, then surely this service must not be considered particularly valuable. -- - mdz
