[Removed debian-private from Cc-List, there is *no* need to duplicate the thread there]
On Fri, May 16, 2003 at 07:58:44AM +0200, Sven Luther wrote: > 2) a way for people for which stable is too outdated to run more > advanced software, without suffering from the breakages of unstable. > By saying this we clearly imply that it is better to run testing > than unstable. Sure, but we _still_ tell people that care for security *to run stable*. Noone was ever told that unstable is secure and should be used for critical services.... > Sure, this was before we had time to test testing, > and before we became aware of the big stalls implied, and the fact > that security wise testing is worse than unstable. And still, unstable _is_ bad according to security. We do NOT encourage people to run unstable for secure machines, so why do you think that telling people to rather use testing than unstable for not-secure things is a bad idea? Just take the long time that the kde2 package in unstable were still vulnerable because their maintainers thought that kde3 will make it soon into unstable (or whatever the real reason was -- the reason doesn't really matter, so don't pin me down on that). > This second goal is today a total failure, I don't think so. Security was never part of that second goal. > I still think that the second goal can be achieved. Probably the fact to > use testing-proposed-update for security and RC bugs would be enough, i > don't know, only experience will tell. Some people stepping forward to do actual work on that part would be needed, than it might be enough. People repeating the same phrases and accuses over and over again are not enough, though. So long, Alfie
