Ok, so this is the explanation. I can understand this reason but in this case, I think that the security FAQ http://www.debian.org/security/faq.en.html#policy needs an update because it's clearly said that : "Security breakage in the stable distribution warrants a package on security.debian.org" [...] "The size of a breakage is not the real problem here" I understood that every security concerns, even minors one, have to go in the security channel.
In the tool I'm developping, I rely on the package channel to know if a package was installed because of a security concern or not (never mind if this is a minor one or not) and now I can't be sure of the update type. Is there a more or less simple way to know a package type (security, bugfix, ...) ? I'm developping the same thing for RHEL5 and yum, here I can clearly know the type of a package : Bugfix, Security or enhancement. I think that this information is very important for businesses, at least, it's important for us. Any idea ? 2008/7/28 Steffen Joeris <[EMAIL PROTECTED]>: > On Mon, 28 Jul 2008 10:15:02 pm Frédéric PICA wrote: >> I didn't see proftpd in the security part of the 4.0r4 news. >> The major version is still 4.0 and for me, a security update for this >> version must still go into the security channel. It's logical to do >> these sort of changes between two major versions, but not two minor. >> I'm following stable, not 4.0r3 or r4. >> >> Is there another explanation ? > Yes, not every security issue is severe enought to warrant a DSA. Some issues > are considered as minor (for instance a lot of DoS attacks) and can be fixed > via a stable update. The security tracker[0] normally indicates such issues > with a <no-dsa> tag (see the * behind the issues). > There is a list of issues that could be fixed via stable-proposed-update (a > stable update upload area) in svn called /data/spu-candidates.txt . > > Cheers > Steffen > > > [0]: http://security-tracker.debian.net/tracker/status/release/stable > >
