On Thu, 2008-01-10 at 23:37 -0500, Noah Meyerhans wrote: > On Thu, Jan 10, 2008 at 11:25:07PM -0500, Thomas Bushnell BSG wrote: > > > Except that the security flaw is in the fileserver, which does not > > > involve the kernel module at all and runs fine even without it > > > installed. > > > > Surely. But then the security update shouldn't mention unaffected > > packages! > > All binary packages built from a given source package are updated > together. Yes, this is inefficient when many binary packages are built > from a single source packages. We mention all the binary packages in > the advisory because they're the versions that are going to be installed > by apt* and people are going to want checksums, file sizes, etc. We > don't have any sane mechanism for updating a subset of a source > package's binary packages. Until we do (don't hold your breath) we will > continue to provide all the information we're currently providing. > > Surely you must have wondered in the past why a DSA for xfree86 required > you to install new fonts...
No, I was happy to think as you describe: that the assumption is that all binary packages are updated together. But I was just told that this is not actually the point. See, I noted that the posted instructions would *fail* to actually update all the binary packages together, and was told that this is not actually the point. Perhaps instead of defensiveness, the real issue is this: installing upgraded debian packages is not sufficient, in the presence of kernel module source packages, to effect the necessary upgrades. Security announcements should make this clear, and contain correct complete instructions for whichever packages are mentioned. If a security bug were found in the afs client-side package, which is implemented as a kernel module, would the announcement not look just like the one we saw for DSA 1458-1? Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
