Hi Currently the security support for the volatile archive is supposed to be taken care of by the uploaders of the respective packages. I think it would make sense to have someone or a team tracking security issues for volatile. What do you think? Is anyone up to providing such issue tracking for volatile? Cheers Luk
* Luk Claes:> Currently the security support for the volatile archive is supposed > to be taken care of by the uploaders of the respective packages. > > I think it would make sense to have someone or a team tracking > security issues for volatile. > > What do you think? Is anyone up to providing such issue tracking for > volatile?For ClamAV and ClamAV-derived packages, I''d prefer to see uploads of new upstream versions to stable-security or stable-proposed-updates (that is, remove it from volatile).
On Sun, Feb 22, 2009 at 10:06:41PM +0100, Florian Weimer wrote:> * Luk Claes: > > > Currently the security support for the volatile archive is supposed > > to be taken care of by the uploaders of the respective packages. > > > > I think it would make sense to have someone or a team tracking > > security issues for volatile. > > > > What do you think? Is anyone up to providing such issue tracking for > > volatile? > > For ClamAV and ClamAV-derived packages, I''d prefer to see uploads of > new upstream versions to stable-security or stable-proposed-updates > (that is, remove it from volatile).I think one the reason why clamav is in volatile is that the engine might need updating to detect new viruses. Is that something you want to support in stable-security? I don''t think an upload only to stable-proposed-updates is something we want for that, since it might take a long time until the next point release. Kurt
* Kurt Roeckx:>> For ClamAV and ClamAV-derived packages, I''d prefer to see uploads of >> new upstream versions to stable-security or stable-proposed-updates >> (that is, remove it from volatile). > > I think one the reason why clamav is in volatile is that the engine > might need updating to detect new viruses. Is that something you > want to support in stable-security?Yes, I think it would make sense. Over time, it becomes increasingly onerous to provide backported patches for clamav, and there is little benefit (maybe except for cases where clamav is solely used as a spam filter). I also think that providing security support for volatile makes sense, and I''ve been wondering if it makes sense to kill two birds with one stone, so to speak. Of course, there''s the slight issue that some maintainers will complain loudly because they still can''t upload new upstream versions for their packages. 8-) I guess this is something we have to deal with for the benefit of our users, though.> I don''t think an upload only to stable-proposed-updates is something > we want for that, since it might take a long time until the next > point release.On the other hand, we want quite a bit of testing before we push out a new version. I don''t really want to tie new major upstream version to a security update. So perhaps there''s still a reason to upload newer versions to volatile, and we will just base security updates off that (similiar to what we currently do with stable-proposed-updates in most applicable cases)?