Derek Martin <[EMAIL PROTECTED]> writes: > On Sat, Apr 21, 2007 at 06:37:29PM +0100, Tim Cutts wrote:
>> That's the version that has been in Debian Sarge, but I think it had >> your fix backported. Debian *never* upgrades to new versions just to >> plug security holes, because additional bugs could be introduced. >> Instead, the fix is always backported to the version currently in >> Debian. > Ah right... That's kind of annoying, since the version bump in rssh is > explicitly because of this bug being fixed. Nothing else was changed. > This policy makes it harder for end users to know if their version is > vulnerable... It's one of the reasons I don't use Debian except when I > have no choice. I personally will try to talk the stable release team and the security team into accepting a new upstream version when the only change is the security patch for exactly this reason. I agree with you about the confusion when the version number change is specifically only the security vulnerability fix. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
