I wrote: > > The solution is obvious: please include a list (ideally at the beginning) > > of changed packages in the release that were not previously available from > > security.debian.org. In most cases this will be a very small list.
Martin Schulze wrote: > I already say "DSA nnn-m" in the first line of the description for > each set of packages that was updated through security.debian.org. > The user announcement[1] contains two sections "Security Updates" and > "Miscellanneous Bugfixes", so I really don't know what you are talking > about -- or you just didn't understand that the "Bits from SRM" mail > is for coordinating the update and not announcing the update. The 2.2r7 announcement (http://www.debian.org/News/2002/20020713) is a fine example of how to do it right. Past update announcements were not written this way. I am completely satisfied with this format. I would suggest one additional sentence, something like "If you have been faithfully applying the updates from security.debian.org, you already have these updates." in the security updates section. Since the "Bits from SRM" message resembled the older Potato upgrade announcements, which were all mixed together, I got nervous. Certainly you can fix this stuff in the end. The "Bits" messages received wide publicity, though (LWN, Debian Planet, etc) so you should know that many users are seeing them. As someone who has done release notes for other projects in the past (including GCC), I should warn that giving it one way to the developers (everything mixed together) and another way to the users (security updates sorted out) tends to be more error-prone and can waste developer time. It mixes the information-free parts of the announcement (of *course* security updates will be included!) with the important stuff that the developers may want to argue with you about (which non-security fixes go in). This is just a suggestion and you can take it or leave it.
