Mark Purcell wrote:
> On Wed, 8 Aug 2007, Lionel Elie Mamane wrote:
> > Yes, but we should still fix that in stable, not only unstable.
>
> Yes I wasn't suggesting that we don't fix it in stable, but rather that a
> fix was available and had been uploaded to Debian (unstable). The BTS
> supports version tracking and even though the bug maybe closed, these
> security issues are still listed as open for asterisk in etch.
>
> Of course if we have a way of testing the fix in unstable is is valid
> that's even better.
>
> Of course fixing the plethora of security fixes against asterisk 1.2 is an
> issue and a fair amount of work. Whilst digium continues to provide
> supported
> releases of 1.2.x with bug fixes, by rights we should be only taking
> the diff's and applying them to debian stable via the debian security team,
> which
> is a job in itself.
>
> We are maintaining uptodate asterisk 1.2 packages built against stable (etch)
> via
> http://buildserver.net, but that is using the latest asterisk 1.2 upstream
> release and isn't a suitable security fix for upload to stable. (but would be
> a lot
> less work and would get the fixes into stable v.quickly)
>
> security team. This is an issue, we (pkg-voip) are aware we are well behind
> the
> curve on this, but were wondering if you have any ideas on a way to better
> manage?
For Etch we need to bite the bullet and continue to support it (see my previous
mail to Faidon), but with the current strain of vulnerabilities (19 in 2007
alone!)
we can't support it for Lenny again. In some cases we need to accept notoriously
error-prone packages because they are terribly important (like PHP and Linux),
but
we can't do that for Asterisk.
For Lenny I see three solutions: (in order of my personal preferrence)
1. Move it to volatile.debian.org and support it through builds of the current
Digium
maintenance release
2. Drop it from stable and support it out of the archive through builds of the
current
Digium maintenance release
3. For Lenny we'll most likely have a way to flag packages not having security
support
(see #436161). So, it could be included in Lenny w/o security support. There
might
still be use cases, e.g. a company-wide internal PBX.
Comments?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
