On Thu, May 15, 2003 at 10:26:35PM +1000, Anthony Towns wrote: > On Thu, May 15, 2003 at 11:13:59AM +0200, Sven Luther wrote: > > On Thu, May 15, 2003 at 09:03:06PM +1000, Anthony Towns wrote: > > > On Thu, May 15, 2003 at 08:09:48AM +0200, Sven Luther wrote: > > > > On Thu, May 15, 2003 at 01:13:19PM +1000, Anthony Towns wrote: > > > > > On Wed, May 14, 2003 at 07:12:15PM -0400, Joey Hess wrote: > > > > > > Take the harden package, or create something similar: a package that > > > > > > conflicts with all versions of packages with known security holes. > > > > > Why not just /fix/ the holes? Is uploading a package with a well known > > > > > patch _really_ that hard? > > > > The fact is, we don't have a security architecture, or even autobuilders > > > > for testing, > > > Uh, actually, we have both these things. We've had them for almost a year > > > now, although they haven't been used. > > So, the infrastructure is there, but not turned on ? > > No, it's sitting there, waiting for someone to use it. After a year's > neglect it might need some metaphorical oil on its hinges and some > dusting, but it really is there. I'm not just saying this for rhetorical > value.
Ok, i had the impression this was not the case, but then, maybe i misremembered or something such. So, the right and easy solution for the samba security bug is to upload the source package to testing-proposed-update, and it will get rebuild on all testing supported architectures in time. What happens then, will it stay apart, or get transitioned into testing when all arches have rebuilt ? I suppose a testing pbuilder or something such would be needed for the initial upload and not pure source, since we don't have a arch: all autobuilder. What about version numbers ? Should the same version number as the unstable package be used, or only the minor debian version number be bumped, with maybe an additional testing or security part ? Also, should we use this only for security fixes, or also for other RC bugs or even non RC bugs ? Where is the limit and if there is one, who will enforce it ? Friendly, Sven Luther
