On Tue, Sep 1, 2009 at 14:06:17 -0700, Steve Langasek wrote: > On Tue, Sep 01, 2009 at 11:39:40AM +0200, Julien Cristau wrote: > > On Sun, Aug 30, 2009 at 23:38:17 +0200, Lucas Nussbaum wrote: > > > > That's unfortunate. Imagine the following scenario: > > > 1. Package P is released in sarge, with version 1.0-1. > > > 2. Package P is installed on a system S, running sarge. > > > 3. etch is released with P 1.0-1. > > > 4. A security bug is found in P. > > > Does this actually happen? How often? > > Often enough that it's been discussed repeatedly over the years; not often > enough that anyone has fixed it. :) > Every time I've seen it discussed, it was by people who aren't part of the security team, and so far the security team seem to say it's not a concern for them, so for all I know it may just be theoretical…
Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
