From http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html#s9.1.6
> When a security fix is prepared, packages are prepared for unstable > and the patch is back ported to stable (since stable is usually some > minor or major versions behind). Packages for the stable distribution > are more thoroughly tested than unstable, since the latter might just > provide the latest upstream release. > > Security updates are available immediately for both branches (but not > yet for the testing branch). But this is not always true. Sometimes the DSA reports "For the unstable distribution (sid) these problems will be fixed soon." Why this ? Ok, sometimes the sid package may need a longer testing period, and maybe sometimes a maintainer (or the DST) can consider preferable waiting for the packaging of a new upstream release, but are these the only reasons ? Are the fixes *always* be applied to sid packages and then backported ? This method sounds a bit odd to me, especially when uploading in sid is delayed until a new upstream version is packaged. > If no (new) bugs are detected in the unstable version of the package, > it moves to testing after several days (usually over a week). However, > this does depend on the release state of the distribution. Uploads that fix a security hole should have the priority set to high, and this should reduce the transition delay to less than a week [1], shouldn't it? Ciao, Gian Piero. [1] Usually. I mean if no other problems, as dependencies or similar, arise. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]