On Mon, 11 Oct 2010 14:14:41 +0100, Ian Jackson wrote:
> Florian Weimer writes ("[SECURITY] [DSA-2115-2] New moodle packages fix
> several vulnerabilities"):
> > DSA-2115-1 introduced a regression because it lacked a dependency on
> > the wwwconfig-common package, leading to installations problems. This
> > update addresses this issue. For reference, the text of the original
> > advisory is provided below.
>
> This is the second recent regression in a security update. I'm sure
> you'll all agree that this is bad. It's a shame, because Debian
> security updates have historically had a very good reputation.
>
> Is there anything that I could do to help with improving things to
> avoid this happening again ?
>
> A traditional approach might be to hold a postmortem to try to find
> the chain of events, identify root causes, and make recommendations
> (whether to the Security Team or to others in the project). Has
> anything like that been done in this case ?
The problem here appears to be the jump to the new upstream version
(1.8.2 to 1.8.13), which has a different dependency set. New
upstreams are usually disallowed in security uploads. The question
is why was that OK in this case, rather than the standard backporting
approach?
Best wishes,
Mike
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20101011104029.1ac6c88a.michael.s.gilb...@gmail.com
