Hi, On Fri Dec 28, 2007 at 19:19:50 -0500, Jim Popovitch wrote: > On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote: > > On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: > > > However, I cannot see any security announcement for most of these. Were > > > they > > > updated because of the security fix for tar? If yes, why doesn’t the > > > security announcement mention that updated versions are available also > > > for > > > those packages? > > > > see > > http://lists.debian.org/debian-announce/debian-announce-2007/msg00004.html > > Martin, > > First, I (and many others) appreciate your and everyone else's work on > Debian. That said, I too am confused by the latest Debian 4.0 release. > It seems to me that, in the past, all Debian patches were released with > DSAs (why patch w/o a DSA?), and that further updates to the core > release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of > previously issued DSAs. I don't recall new functionality ever being > added in a core release update bundle (although I could be wrong).
You are (mostly) wrong here. Most of the packages mentioned under "Miscellaneous Bugfixes" in the Release Announcement are just bug fixes, several of them also have CVE numbers, of which the security team thinks which are not so important to fix. Others just add missing dependencies without those the package would not be able to run. Also other packages just get RC bugs fixed. The only package which got REAL updates this time was the Debian Linux Kernel, to support eg. SGI o2 machines. Also some (sub-)architectures were missing some important kernel modules the other (sub-)archtitectures had, so we considered that as worth for updating the kernel. > Consider that some people, such as myself, only update servers based on > review of public DSA statements. Yet now we find ourselves with > multiple days of updates to multiple pkgs, but no corresponding DSA > announcements to cross reference for validity (which can easily make one > suspect a mirror has been hacked). Thus we try to send out the announcement to that 'point release' very short after packages have been pushed out to the mirrors (read as in: within one day). We cannot send it directly after the dinstall process, as only the tier-1 mirrors then would have those packages, but not tier-2 and tier-3 mirrors. Also consider some mirrors only update by cron twice a day. > Since I'm not the only one confused by the recent updates, can we get > some clarification on this process please. Specifically, is it > currently Debian policy to release non-critical pkg updates, i.e. > releases without DSAs, in periodic core release rollups? (is this new or > has it been so in the past?) Could Debian be better served by calling > the rollup (including new non-critical updates) a new release (i.e 4.1)? These releases are called 'point releases' and are prepared publicly. Preperation mails to these point releases are periodicly sent to [EMAIL PROTECTED] Also prior releases had 'Miscellaneous Bugfixes', see eg. [2]. The list of 'Miscellaneous Bugfixes' just got a bit bigger, as the last point releases was for various reasons not 2 but 6 month ago. Also my predecessor, Joey Schulze, was much more strict regarding 'Miscellaneous Bugfixes', and several Debian Developers expressed the wish that his rules should be eased a bit. We are still very strict regarding these bugfixes but not as strict as he was. I hereby will also say that these bugfixes (and point releases) will happen in future as well, so be prepared to it. You really should read [EMAIL PROTECTED], as all these updates will be announced to that mailing list. Hope that eMail helps a bit to clarify. Greetings Martin [1] http://lists.debian.org/debian-release/2007/12/msg00203.html or http://lists.debian.org/debian-release/2007/12/msg00254.html [2] http://lists.debian.org/debian-announce/debian-announce-2007/msg00003.html or http://lists.debian.org/debian-announce/debian-announce-2007/msg00000.html -- [EMAIL PROTECTED] /root]# man real-life No manual entry for real-life -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
