Russell Stuart <russell-deb...@stuart.id.au> writes: > If it is so that much of a disaster that it warrants pulling a package > from stable, surely a little more notification than an email to a list > most people don't monitor would be warranted?
See, for example, DSA-2819. Or, on a different front, DSA-2907, which was rather important to read. I find this concept that most people who run Debian in stable production environments but don't read the DSAs rather terrifying. Please, if you run a lot of Debian systems and care at all about the security of those systems, just read the mailing list. It doesn't get that much traffic. There are also RSS feeds in various formats. If you're just using Debian as a home desktop or the like, the chances of someone going to the effort to MITM your connection to the mirror in order to attack some local package that you haven't upgraded is remote enough that I'm just not particularly worried about it. Yes, it's possible, but it's a lot less likely than other attacks that we aren't doing anything about currently. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8738a6cems....@hope.eyrie.org