Greg writes: > Any security fixes sid receives are just fortuitous uploads by the > regular package maintainer, usually just a new upstream version, which > may contain security fixes if the upstream version had any.
It's not that bad. Both upstream and the maintainer know about the bug. Upstream usually puts out a fixed version of the current release (if the bug is present in the current release at all) and the maintainer usually uploads it promptly. Security, however, has to backport the fix to the version in stable, so sometimes Sid is fixed first. You do have to pay attention to security announcements, of course. > Packages in sid are not cherry-picked for migration to testing. They are sometimes cherry-picked for migration early in a freeze when other criteria have been met and only the freeze is holding them back. A security bug that is fixed in the Sid version is a reason to consider doing that. -- John Hasler [email protected] Elmwood, WI USA
