On Wed, 22 Nov 2000, Ben Collins wrote: > On Thu, Nov 23, 2000 at 12:35:19AM +1000, Anthony Towns wrote: > > On Wed, Nov 22, 2000 at 08:53:49AM -0500, Ben Collins wrote: > > > So we release immediately even though there are major security updates and > > > package revisions that need to be done? That sounds like RH release goals, > > > "make the point change, just so it looks like we are doing something". > > > > I repeat: at the moment potato has a number of security problems which > > have packaged, completed fixes. Furthermore, the Debian Project Leader is > > being cited as saying that ``Debian is broken'' [0], and the the Debian > > Press Contact is on the record as having announced ``It is recommended > > that people wishing to install [...] updates or create CD images wait > > until the release of version 2.2r2 to do so'' [1]. Not only this, Debian > > is also on record as assuring users that ``A 2.2r2 release is expected > > within the next 10 days'' [2]. > > So do we want to change that to "wait for 2.2r3" just after releasing > 2.2r2? IMO, if the securty fixes don't get it, there is no way we can > recommend CD vendors using 2.2r2.
As a CD Vendor I have watched this thread with interest. The day that you release 2.2R2 there could be a major security hole announced that needs fixing. There could be another one the day I get the Cd's back from the replicator !! The security updates need to be independent of the release, which is why Redhat for example still release security updates for RH 6.2. You cant even download Debian 2.2r0 anymore and you certainly cant make iso images using the pseudo image kit because the original ftp files were overwritten by 2.2r1 on the mirrors, without the pseudo image kit having caught up, there doesnt seem to be a copy of the 2.2r0 tree anywhere to allow the isos to be made and with 2.2R1 'broken' that seems to leave people unable to download a stable verion of Debian. That is why it is imperative to get 2.2R2 released as soon as possible. We provide weekly redhat and mandrake update cd's including all known updates, there is no reason why the same cant be done for Debian. I think that there needs to be a 'minimum time' between point releases to allow for vendors pressing cd's - and I would suggest 3 months as being the absolute minimum. The real problem here seems to have come about because 2.2r1 was released prematurely without the then known security fixes having been incorporated . Regards Lance [EMAIL PROTECTED]
