On Wed, Apr 12, 2006 at 05:03:34PM +0200, VOROSKOI Andras <[EMAIL PROTECTED]> wrote: > Well, i don't know how much work this is, but simply bumping the > packages in -stable doesn't work all the time. Adding only the security > patch is much cleaner, but it's unambigously more difficult. Not only > because of more work, but the possibility of errors. > So if the developers of the program doesn't sign exactly what had > changed because of security issues and what just because of some other > reason it can be difficult to make a backport.
so there are two goals: - stable has no version bumps but still secure - sec issues are solved by version bumps the problem is when it's up to us to extract the sec patch, and haven't done by upstream. this case, we should decide what do we do. a possibly rule: "try to extract the secfix from the cvs, etc, but if the patch is not provided by upstream, then you are allowed to bump the version in -stable" <- how about this? in this case, the m8r: - bumps the package in -current, and in the patch comment mentions what is the situation- upstream patch: yes/no, if yes, the url - notify the sec team about there is something to be pulled in -stable the sec team: - applies the patch or bumps the version (no need to search for a patch, it's already done by the m8r) - when the fixed packages are uploaded to -stable, then release an advistory this way the security updates are done by the security team, but it's much less work, then doing everything themselves is this a better proposal? :) udv / greetings, VMiklos -- Developer of Frugalware Linux, to make things frugal - http://frugalware.org _______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
