Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities

2011-01-01 Thread Moritz Muehlenhoff 
Michael Gilbert wrote:
> On Tue, Dec 21, 2010 at 12:34 PM, Moritz Muehlenhoff wrote:
> > Upgrade instructions
> > - 
> >
> > If you are using the apt-get package manager, use the line for
> > sources.list as given below:
> 
> For future advisories, I wonder if this might be better said as "Make
> sure that a 'deb http://security.debian.org/ stable/updates main' line
> is included in your /etc/apt/sources.list and then run the following
> commands to perform the update'
> 
> > apt-get update
> >        will update the internal database
> > apt-get upgrade
> >        will install corrected packages
> >
> > You may use an automated update by adding the resources from the
> > footer to the proper configuration.
> 
> Isn't this a repeat of the first sentence in the upgrade instructions?
> 
> > - 
> > -
> > For apt-get: deb http://security.debian.org/ stable/updates main
> 
> I think this would be better stated in plain English as suggested above.
> 
> > For dpkg-ftp: ftp://security.debian.org/debian-security 
> > dists/stable/updates/main
> 
> Since dpkg-ftp is removed from sid/squeeze (and I don't know if it
> checks signatures), I think this line should be removed.
> 
> > Mailing list: debian-security-annou...@lists.debian.org
> 
> Is this statement useful?  The user can look at the mail header to see
> where it came from.
> 
> > Package info: `apt-cache show ' and http://packages.debian.org/
> 
> This may be better to state in plain English.  For example, "For more
> info on this package, type 'apt-cache show' or visit
> http://packages.debian.org/.  For information on the changes
> involved type 'cat /usr/share/doc//changelog.Debian.gz' or
> install the apt-listchanges package."
> 
> I wonder if there should be a warning somewhere in this footer about
> using tools (such as dpkg) that don't check signatures?  Or maybe
> explicitly state that apt, aptitude, synaptic, software center, update
> manager, etc are the only recommended tools.
> 
> Anyway, just some thoughts on new changes.

Thanks for the feedback. We've ended up with a much simplified version.

BTW, the line Mailing list: debian-security-annou...@lists.debian.org 
is currently mandated by the mailing list script.

Cheers,
   Moritz


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110101235724.gf2...@galadriel.inutil.org

Re: [SECURITY] [DSA 2135-1] New xpdf packages fix several vulnerabilities

2010-12-22 Thread Michael Gilbert 
On Tue, Dec 21, 2010 at 12:34 PM, Moritz Muehlenhoff wrote:
> Upgrade instructions
> - 
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:

For future advisories, I wonder if this might be better said as "Make
sure that a 'deb http://security.debian.org/ stable/updates main' line
is included in your /etc/apt/sources.list and then run the following
commands to perform the update'

> apt-get update
>        will update the internal database
> apt-get upgrade
>        will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.

Isn't this a repeat of the first sentence in the upgrade instructions?

> - 
> -
> For apt-get: deb http://security.debian.org/ stable/updates main

I think this would be better stated in plain English as suggested above.

> For dpkg-ftp: ftp://security.debian.org/debian-security 
> dists/stable/updates/main

Since dpkg-ftp is removed from sid/squeeze (and I don't know if it
checks signatures), I think this line should be removed.

> Mailing list: debian-security-annou...@lists.debian.org

Is this statement useful?  The user can look at the mail header to see
where it came from.

> Package info: `apt-cache show ' and http://packages.debian.org/

This may be better to state in plain English.  For example, "For more
info on this package, type 'apt-cache show' or visit
http://packages.debian.org/.  For information on the changes
involved type 'cat /usr/share/doc//changelog.Debian.gz' or
install the apt-listchanges package."

I wonder if there should be a warning somewhere in this footer about
using tools (such as dpkg) that don't check signatures?  Or maybe
explicitly state that apt, aptitude, synaptic, software center, update
manager, etc are the only recommended tools.

Anyway, just some thoughts on new changes.

Best wishes,
Mike


--
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktimscmql9ztzrffans_5yjob4o4kxpvhz2w_l...@mail.gmail.com