Alex
On 12/04/06, VMiklos <[EMAIL PROTECTED]> wrote:
On Wed, Apr 12, 2006 at 05:03:34PM +0200, VOROSKOI Andras <[EMAIL PROTECTED]> wrote:
> Well, i don't know how much work this is, but simply bumping the
> packages in -stable doesn't work all the time. Adding only the security
> patch is much cleaner, but it's unambigously more difficult. Not only
> because of more work, but the possibility of errors.
> So if the developers of the program doesn't sign exactly what had
> changed because of security issues and what just because of some other
> reason it can be difficult to make a backport.
so there are two goals:
- stable has no version bumps but still secure
- sec issues are solved by version bumps
the problem is when it's up to us to extract the sec patch, and haven't
done by upstream. this case, we should decide what do we do. a possibly
rule: "try to extract the secfix from the cvs, etc, but if the patch is
not provided by upstream, then you are allowed to bump the version in
-stable" <- how about this?
in this case, the m8r:
- bumps the package in -current, and in the patch comment mentions what
is the situation- upstream patch: yes/no, if yes, the url
- notify the sec team about there is something to be pulled in -stable
the sec team:
- applies the patch or bumps the version (no need to search for a patch,
it's already done by the m8r)
- when the fixed packages are uploaded to -stable, then release an
advistory
this way the security updates are done by the security team, but it's
much less work, then doing everything themselves
is this a better proposal? :)
udv / greetings,
VMiklos
--
Developer of Frugalware Linux, to make things frugal - http://frugalware.org
_______________________________________________
Frugalware-devel mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-devel
_______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
