Wichert Akkerman <[EMAIL PROTECTED]> writes: > Installing mailcrypt on security.debian.org would immediately suggest > that mailcrypt itself has a security problem, which is not true. > It's a bit of a catch 22.
Well, this is a general problem then, which the security team should think about. The fact that mailcrypt is in contrib means it's a little less important in this particular case, but nontheless, it's a real problem. Debian is about a *distribution* and not a random assemblage of .deb's. The security team exists to support the rapid response to security needs for the *distribution*, and not just one package. So my premise is that a user who tracks stable and security should benefit from security fixes. When the security team does what was done with gnupg, the *distribution* has not gotten decent security support, even if one package has. Perhaps one solution is to split the security archive into two pieces; one for the actual packages that have security holes, and another for other packages that must be installed on a stable system in order to take advantage or otherwise use fully the former. Thomas
