On Tue, August 20, 2013 19:40, Steve Langasek wrote: > On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote:
>> IMHO that should be turned around: package maintainers should be the >> ones responsible for updates and the Security Team should help with that >> (e.g. by providing tips and/or reviewing the fixes) > > That's not the understanding that was in place when I joined Debian. > Certainly there seems to be a move by the security team to push more and > more responsibility onto the package maintainers lately; I understand the > motivation (like everyone else they have more to do than they have time to > do it in), Division of labour is very important to sustain the security support for the full breadth of the archive, but an important part of the shift in responsibility is that the package maintainers are in better contact with upstream and much more used to the intricacies of the software and its packaging, and on top are probably in a well suited position to test the changes. Having the maintainers involved in creating updated packages is therefore a much more preferable MO than the security team preparing the updates on their own. > but I think the outcome, whereby the security team denies use > of the security update channel for non-"critical" security bugs and > redirects maintainers to stable-updates instead, is unfortunate. As far > as I'm concerned, a security fix that isn't worth being pushed to > security.debian.org is also not worth me spending time on as a maintainer > to push to stable-updates. And that is a very fair position. Everything that smells like security regardless of impact and seriousness gets a CVE id and is called a "security issue". The security team triages issues and decides what is not critical enough for a DSA. Perhaps a good way to see those issues as bugs of severity up to "important": where it's arguable that may improve Debian by putting it into a spu, but can equally well be argued that there are better ways to spend your time. Thijs -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/0327d20c814d27da6a3e0b5fbc9e0658.squir...@aphrodite.kinkhorst.nl