* Sven Luther <[EMAIL PROTECTED]> [2003-05-16 13:33]: > Such a package should be as close to possible to the version actually > in testing, and not depend on packages and/or versions that are not > yet in testing.
So, you request more or less that every developer should backport fixes themself from the usual new upstream version that fixes the problem (and mostly always have new features too) to the version in testing, which might even be older than just one upstream release, due to usual holdups in the transition. It sounds like you like to have every developer be able to do what the security team does. That requires much skill -- much more than most of us possess! I for my part don't think that I could spend enough efforts in doing this correct, and I don't think that I'm that far below average in skills of the usual debian developer. What _is_ needed to do it correct to make it work is having people that are *willing* to do such backport fixes -- and still people only keep repeating that it is needed and needed, but still noone is stepping forward to do the actual work. I for my part would be pleased to be of help when it's needed, but I'm afraid that I lack of skill to be in the core team (hell, I'm JAPH, with some C knowledge, but when it comes to python, C++, java or whatever I'm out of luck), left aside the time constraints I'm currently facing. > Also, we could add 2 things, first the RM assitants, which are debian > developers who have voluntereed to help the RM in this, and have the > right to give the green light to uploads. Off topic: I haven't seen it on d-d-a, are they decided yet? Just curious. > Second, what could be done about NMUs. Maybe a small group of apprentice > security team members could scan the security announcements, and prepare > NMU of such security holed packages, in close contact with the > maintainer and the RM or his assistants, or maybe even the security > team, especially if the problems are also present in stable packages. This is nothing new and was said over and over again -- just that noone yet seem to have raised interest to do the work! Sorry for my pessimism but I doubt that this thread will really make anyone step forward this time.... I'd love to be told otherwise! > So, with such an announcement, everyone wins Noone wins if noone likes to do the work, like I said before in this thread. It would just make us look even more awkward, I guess. > the maintainer will be able to fix things in testing more easily I've I understand you correct it wouldn't be easy, for backporting fixes seldom is easy. So long! Alfie -- <Alfie> I have a little problem with a bug-report I received... *scratch* <doogie> Alfie: I send those to /dev/null -- #debian-devel
pgp0KALJpZWCE.pgp
Description: PGP signature