On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote: > This is already in the security team FAQ, and in the developers reference in > section "5.8.5.3 Preparing packages to address security issues", but > apparently it requires further explanation, because this issue comes up from > time to time. I will expand the developer's reference more when I get a > chance. The main points are:
That would be cool. > - Security advisories and the associated packages should fix security > vulnerabilities and nothing else. It is irresponsible to "sneak in" > additional changes or try to use a security vulnerability as an excuse to > bypass the normal process for updating a package in stable to fix other > bugs. > > - If your package is so buggy in stable that it is useless, you should have > made an upload to proposed-updates a long time ago. Don't wait for a > security advisory and try to use that to get random bug fixes in. They > will not be accepted as part of a security update. Things are clearer now. You're right: i should have done a new package by time, but you probably ignore that, due to lack of time, i've filed an RFA on phpgroupware which resulted in many mails and no real effort (apart a new version from Tilo Levante few time ago). In this span of time package was subject to many bugfix releases, which i could not care about. Now that I'm back working on it i've to deal with a security issue. What am i supposed to do? Build a new version for the proposed-update procedure? thanks, -- Luca - De Whiskey's - De Vitis | Elegant or ugly code as well aliases: Luca ^De [A-Z][A-Za-z\-]*[iy]'\?s$ | as fine or rude sentences have Luca, a wannabe ``Good guy''. | something in common: they local LANG="[EMAIL PROTECTED]" | don't depend on the language.
