On Thu, May 15, 2003 at 03:19:02PM +1000, Anthony Towns wrote: > On Wed, May 14, 2003 at 11:59:49PM -0400, Matt Zimmerman wrote: > > Do you honestly think would be a good idea to use testing-security this way > > on a continual basis? > > Yes, I do. I think we should release DSA's for security problems in > testing, too.
There's that "we" again. Why not unstable, too? Round it out to a nice, even four distributions to simultaneously support, and 40 or so distribution*architectures. As if it doesn't take enough time already. > > Such an endeavor would not seem to require any of the facilities which > > make foo-security different from foo{,-proposed-updates}. > > The same applies to stable: the key differences are immediacy, > announcements and control, all of which are equally valuable for testing > as stable. No, it is not at all the same as stable. The problem that is being discussed in this thread is the presence of known, publicized security holes in testing. > In any event, testing-proposed-updates exists and works at > present, the only thing missing is people reliably uploading to it, and > evaluating whether uploads work well enough to be included in testing > or not. All the technical issues have already been addressed. In that case, I invite any maintainer with a security fix for their package in 'testing' to upload it to testing for testing-proposed-updates. Problem solved. Are you the one who will be responsible for reviewing the packages? > Except that there can be no testing users while we don't provide security > updates. Using testing on a multi-user machine, or one that provides any > network services on a machine connected to the network is not something > anyone can recommend in good conscience, and that rules out almost > everything Debian's actually good at. This does not trouble me in the least. > > Sidestepping the process to provide this kind of "timely" security update > > for "unreleased" software, on the other hand, doesn't seem particularly > > valuable to me. > > What, precisely, is unreleased about it? release <programming> (Or "released version", "baseline") A version of a piece of software which has been made public (as opposed to a version that is in development, or otherwise unreleased). A release is either a {major release}, a {revision}, or a {bugfix}. Pre-release versions may be called {alpha test}, or {beta test} versions. See {change management}. "released", as in "no longer under development", as in "not changing on a DAILY BASIS" (as testing does), and so actually supportable. testing is a moving target. -- - mdz