The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Release of 1.3.2?



On Wednesday, August 13, Guy Maor wrote
> Bruce Perens <bruce@debian.org> writes:
> 
> > inventory seems to rot when we change the version number.
> 
> I still think that argument is bogus.  It stems from the assumption
> that users can't distinguish between a CD which is 99% current with
> one that isn't current at all.  Buy a $5 CD, and then ftp a few megs
> more - big deal.

Indeed. It's not a bug, it's a feature!

Why don't manufacturers just write something like the following on the back
of the jewel cases of their Debian CDs?

  "After installation, Debian's sophisticated packaging system allows you
   to get (and stay) up to date with the latest security fixes with only
   a few keypresses!"

(Ok, the writing could be improved. But hopefully people get the idea.)

And it *is* indeed one of Debian's nice features.  Just point dpkg-ftp to
stable, run "dselect install" once a week and big bugs and security holes
get fixed. And it seems that some of our users agree that it's a nice
feature. Go have a look in debian-user, there's one user who's (more or
less) complaining that all these important security fixes haven't yet made
it into stable. Here are the quotes:

> I like the new way of making releases into stable (i.e. holding
> them in bo-updates and testing them and then moving them into
> stable when everything checks out).  The only concern that I
> have with this method regards security updates.  For those
> of us who are lazy (and brainless?) we do not always think of
> looking at bo-updates - rather we just point dselect to stable.
> As I understand it, the security fix for ldso is still sitting
> in bo updates and is not in stable.  Although I am not direly
> in need of such security updates in a hurry, it seems strange to
> leave important fixes such as this out of stable.  One of the
> reasons that I chose Debian was Bruce's strong commitment (in
> my perception) to security.
> 
> Just my $0.02
> 
> Paul Rightley

And...

>	  Sorry if this is a stupid question, but I've been puzzled for a
> little while now...  How come I keep seeing these high urgency, security
> related package releases, but the main Debian release is still at 1.3.1?
> I'm used to pointing dselect at ftp.debian.org and picking up security
> related updates automatically.  What am I missing?  Thanks...
> 
> -- 
> Tres Hofmeister                       Research Applications Program
> tres@ncar.ucar.edu         National Center for Atmospheric Research

(Sorry if I'm beating a dead horse here, but I just want to make sure that
everybody agrees that integrating security fixes, etc. into stable is a
Good Thing and that we should go on doing it.)

And wasn't there pretty universal agreement that the "Slackware way"
(i.e. updating packages without leaving any indication in the version
number, etc. that the system has been updated) was a Bad Thing?

Now, if the numbering scheme we have really scares distributors off it
could be changed. How about:

Debian 1.3-1 (just like Debian packages)
Debian 1.3a
Debian 1.3/19970901
Debian 1.3 rev 1
Debian 1.3/1May97

and so on. Whichever one gets the impression across that between Debian 1.3
and Debian 1.3.x, only *few* packages have been modified. I (for one) don't
really care how point releases are named, as long as:

1) they *are* made. (i.e. People who track stable should get the latest
                     security fixes)
2) there's some way of telling if your Debian CD has all the latest fixes
from ftp.debian.org

Clambering off soapbox,

  Christian

PS Taking about updating stable... Does anyone know when Brian is coming
back from vacation? Or can someone else make a Debian 1.3.2 (or whatever we
want to call it) release? It's long overdue. Here's (from memory) a list of
the security fixes sitting in bo-updates currently: ldso, svgalib, rusers,
(and soon) inn and exim. (And I'm probably forgetting some.)

Attachment: pgpVwN6kl7To2.pgp
Description: PGP signature