Hi,
On Fri Dec 28, 2007 at 19:19:50 -0500, Jim Popovitch wrote:
On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote:
On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote:
However, I cannot see any security announcement for most of these. Were
they
updated because of the security fix for tar? If yes, why doesn’t the
security announcement mention that updated versions are available also
for
those packages?
see
http://lists.debian.org/debian-announce/debian-announce-2007/msg4.html
Martin,
First, I (and many others) appreciate your and everyone else's work on
Debian. That said, I too am confused by the latest Debian 4.0 release.
It seems to me that, in the past, all Debian patches were released with
DSAs (why patch w/o a DSA?), and that further updates to the core
release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of
previously issued DSAs. I don't recall new functionality ever being
added in a core release update bundle (although I could be wrong).
You are (mostly) wrong here. Most of the packages mentioned under
Miscellaneous Bugfixes in the Release Announcement are just bug fixes,
several of them also have CVE numbers, of which the security team thinks
which are not so important to fix. Others just add missing dependencies
without those the package would not be able to run. Also other packages
just get RC bugs fixed.
The only package which got REAL updates this time was the Debian Linux
Kernel, to support eg. SGI o2 machines. Also some (sub-)architectures
were missing some important kernel modules the other
(sub-)archtitectures had, so we considered that as worth for updating
the kernel.
Consider that some people, such as myself, only update servers based on
review of public DSA statements. Yet now we find ourselves with
multiple days of updates to multiple pkgs, but no corresponding DSA
announcements to cross reference for validity (which can easily make one
suspect a mirror has been hacked).
Thus we try to send out the announcement to that 'point release' very
short after packages have been pushed out to the mirrors (read as in:
within one day). We cannot send it directly after the dinstall process,
as only the tier-1 mirrors then would have those packages, but not
tier-2 and tier-3 mirrors. Also consider some mirrors only update by
cron twice a day.
Since I'm not the only one confused by the recent updates, can we get
some clarification on this process please. Specifically, is it
currently Debian policy to release non-critical pkg updates, i.e.
releases without DSAs, in periodic core release rollups? (is this new or
has it been so in the past?) Could Debian be better served by calling
the rollup (including new non-critical updates) a new release (i.e 4.1)?
These releases are called 'point releases' and are prepared publicly.
Preperation mails to these point releases are periodicly sent to
[EMAIL PROTECTED] Also prior releases had
'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous
Bugfixes' just got a bit bigger, as the last point releases was for
various reasons not 2 but 6 month ago.
Also my predecessor, Joey Schulze, was much more strict regarding
'Miscellaneous Bugfixes', and several Debian Developers expressed the
wish that his rules should be eased a bit. We are still very strict
regarding these bugfixes but not as strict as he was.
I hereby will also say that these bugfixes (and point releases) will
happen in future as well, so be prepared to it. You really should read
[EMAIL PROTECTED], as all these updates will be announced
to that mailing list.
Hope that eMail helps a bit to clarify.
Greetings
Martin
[1] http://lists.debian.org/debian-release/2007/12/msg00203.html or
http://lists.debian.org/debian-release/2007/12/msg00254.html
[2] http://lists.debian.org/debian-announce/debian-announce-2007/msg3.html
or
http://lists.debian.org/debian-announce/debian-announce-2007/msg0.html
--
[EMAIL PROTECTED] /root]# man real-life
No manual entry for real-life
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]