[Secure-testing-team] another question: backport fixes?

[Joey Hess]

Robert Lemmen wrote:
> something else i would like to ask: in stable security, fixes to
> security problems must be isolated and the version in stable must be
> patched with this, is this also true for testing security? so assuming i
> have a version 1.1 in testing with a security problem and a version 1.2
> in unstable where the problem is fixed, but additional features are
> implemented as well. do you have to isolate the security patch or just
> update the whole package. if you want testing security to help stable
> security, then you need to isolate the problem, but in some cases it
> just doesn't make sense: e.g. when the version in stable is not affected
> and the one in unstable is expected to progress to testing soon.
> 
> perhaps someone could explain this to me

The testing security team is mostly interested in making testing as
secure as possible, so we don't generally worry about backporting fixes
unless it's necessary. Some examples of it being necessary include the
new version having dependencies that are blocked from entering testing,
and needing to produce minimal stable-style backports when parts of
testing are frozen proir to a Debian release. It's also often easier to
include a backported fix in an non-maintainer upload, since upgrading to
a new upstream version in an NMU is kinda rude. With these exceptions,
bring on the new upstream versions!

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050629/6649d461/attachment.pgp