On Wed, May 14, 2003 at 10:03:32AM -0500, Steve Langasek wrote: > Figuring that a security upload would be preferable, I approached the > security team and offered to prepare an upload. I was effectively told > that this isn't done, and because it isn't done, most testing users don't > have security.d.o in their sources.list, so don't bother.
This is an excellent point. Testing users do not expect updates from securit.debian.org, so there is no reason that they need to be kept there. Testing users do not have such an entry in sources.list, so any other repository would be on equal footing. However, so far no one has taken any action to coordinate this, nor has anyone prepared updates for testing that would occupy such a repository. > The only remaining option is to get a dependency chain that passes muster > with the testing scripts. While this is a goal anyway, and while fixing > the RC bugs in other packages is good for the release as a whole :), it's > certainly the least efficient way to make a fixed package available and > does nothing to help those testing users whose machines are being > compromised today because they had no reason to believe they should add > deb http://security.debian.org/ woody/updates main on a machine running > testing. This is a related, more general issue, of how to minimize the blockage introduced by package dependencies. I think this problem is much more worthwhile to address than security updates targeted at 'testing'. -- - mdz
