On Tue, Apr 15, 2008 at 08:27:15PM +0200, Sven Joachim wrote:
> On 2008-04-15 18:43 +0200, Andrew Sackville-West wrote:
> > On Tue, Apr 15, 2008 at 08:45:47AM +0200, Sven Joachim wrote:
> >> It is true that sid users should generally check out for grave bugs and
> >> security issues of packages they want to install, but the same holds for
> >> testing.  After all, buggy packages will not be removed quickly and an
> >> update will first be available in unstable before it migrates to
> >> testing.
> >
> > is it not true that _security_ patches migrate to testing through a
> > different route than the one to sid? I kind of picture it like this:
> >
> > testing security team "finds" security bug, writes patch and pushes it
> > to testing and (Probably?) passing it back upstream as well. THen
> > upstream incorporates the fix and it works its way into sid through
> > upstream's regular release cycle?
> In general, no.  First, the testing security team also works as security
> team for unstable: if the maintainer does not react in time and uploads
> a fix himself, they usually upload directly to unstable as well.
> Secondly, they only upload to testing-security if the fixed package for
> unstable is not expected to migrate quickly.  You can seeĀ¹ that Iceweasel
> has still an unfixed version in testing, while both stable and unstable
> have the latest upstream version.  Apparently it did not build on mips
> and mipsel.
> > I suppose I should shut-up and start reading more about debian
> > security...
> I'd recommend to start with http://testing-security.debian.net/, that
> gives a good overview what this team is about.



Attachment: signature.asc
Description: Digital signature

Reply via email to