[Secure-testing-team] Security update for fuse
Joey Hess
joeyh at debian.org
Wed Jun 22 19:10:29 UTC 2005
Moritz Muehlenhoff wrote:
> > We need to make sure our fixes have a version number which allows the
> > regular fix to replace them on upgrade.
>
> What about something like this:
> 3.14-1 vulnerable version in testing
> 3.14-1ts1 fix prepared by secure-testing
> 3.14-2 regular maintainer fix coming through the regular testing propagation
This will fail if there's an NMU to debian with the fix, since it will
superscede the NMU. It probably needs to use a version like -1.0.0ts1 to
avoid prolems with binary NMUs too.
> > Another problem is we need to
> > make sure that a new vulnerable version doesn't come in from unstable
> > and replace our fix.
>
> But this would only be the case if the maintainer hasn't read his bug reports
> (we should still continue to file bugs for every security issue) and issues
> an update without including a fix or do I misinterpret you?
It could also happen if the release team decide getting the new package
into testing is more important than the security fix, for example. It's
just something we need to keep an eye out for.
--
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050622/e3555b9c/attachment.pgp
More information about the Secure-testing-team
mailing list