On 01/09/09 at 23:14 +0200, Julien Cristau wrote: > On Tue, Sep 1, 2009 at 14:06:17 -0700, Steve Langasek wrote: > > > On Tue, Sep 01, 2009 at 11:39:40AM +0200, Julien Cristau wrote: > > > On Sun, Aug 30, 2009 at 23:38:17 +0200, Lucas Nussbaum wrote: > > > > > > That's unfortunate. Imagine the following scenario: > > > > 1. Package P is released in sarge, with version 1.0-1. > > > > 2. Package P is installed on a system S, running sarge. > > > > 3. etch is released with P 1.0-1. > > > > 4. A security bug is found in P. > > > > > Does this actually happen? How often? > > > > Often enough that it's been discussed repeatedly over the years; not often > > enough that anyone has fixed it. :) > > > Every time I've seen it discussed, it was by people who aren't part of > the security team, and so far the security team seem to say it's not a > concern for them, so for all I know it may just be theoretical…
well, one nice feature is that it was only theoretical during the etch + lenny release cycles, since +b < +etch < +lenny < +nmu. So it is not surprising that it stayed unfixed for so long. However, this was broken with sarge (+sarge > +etch), and is broken with squeeze with NMUs: 1. Package P is available in testing with version 1.0-1 2. A security bug is found in P 3. A testing-security upload is made (1.0-1+squeeze1) 4. The bug is fixed in unstable in an NMU, also fixing other bugs (1.0-1+nmu1) 5. The user installs 1.0-1+squeeze1 6. P 1.0-1+nmu1 migrates to testing At this point, the user should install 1.0-1+nmu1 (it contains fixes to other bugs) but will stay with 1.0-1+squeeze1. -- | Lucas Nussbaum | lu...@lucas-nussbaum.net http://www.lucas-nussbaum.net/ | | jabber: lu...@nussbaum.fr GPG: 1024D/023B3F4F | -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
