Secure testing team - Mar 2006 - another question: backport fixes?

Robert Lemmen wrote:
> something else i would like to ask: in stable security, fixes to
> security problems must be isolated and the version in stable must be
> patched with this, is this also true for testing security? so assuming i
> have a version 1.1 in testing with a security problem and a version 1.2
> in unstable where the problem is fixed, but additional features are
> implemented as well. do you have to isolate the security patch or just
> update the whole package. if you want testing security to help stable
> security, then you need to isolate the problem, but in some cases it
> just doesn''t make sense: e.g. when the version in stable is not
affected
> and the one in unstable is expected to progress to testing soon.
> 
> perhaps someone could explain this to me
The testing security team is mostly interested in making testing as
secure as possible, so we don''t generally worry about backporting fixes
unless it''s necessary. Some examples of it being necessary include the
new version having dependencies that are blocked from entering testing,
and needing to produce minimal stable-style backports when parts of
testing are frozen proir to a Debian release. It''s also often easier to
include a backported fix in an non-maintainer upload, since upgrading to
a new upstream version in an NMU is kinda rude. With these exceptions,
bring on the new upstream versions!

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050629/6649d461/attachment.pgp

hi everyone,

something else i would like to ask: in stable security, fixes to
security problems must be isolated and the version in stable must be
patched with this, is this also true for testing security? so assuming i
have a version 1.1 in testing with a security problem and a version 1.2
in unstable where the problem is fixed, but additional features are
implemented as well. do you have to isolate the security patch or just
update the whole package. if you want testing security to help stable
security, then you need to isolate the problem, but in some cases it
just doesn''t make sense: e.g. when the version in stable is not
affected
and the one in unstable is expected to progress to testing soon.

perhaps someone could explain this to me

cu  robert

-- 
Robert Lemmen                               http://www.semistable.com 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050629/52f63aef/attachment.pgp