OoO La nuit ayant déjà recouvert d'encre ce jour du samedi 08 mars 2008,
vers 23:36, je disais:
> Suppose that xxxx 3.0.1-5 fixes a vulnerability. Therefore, 3.0.1-4 is
> vulnerable. Assume that I backport 3.0.1-5 to etch. I will name this
> version 3.0.1-5~bpo.1. Because of "~", this version will be considered
> as inferior to 3.0.1-5 and will be marked as vulnerable.
> I think that this "inferiority" should be changed to equality in term
> of security. I suppose that __cmp__() in Version class could return 0
> when all the following conditions are met:
> - upstream versions are equal
> - debian versions of the package without r'~.*$' pattern are equal
> Otherwise, we just use return VersionCompare() result.
> I attach a proposed (ugly) patch. If you think this behaviour is too
> dangerous, you could add a flag '--enable-backports-support'.
My patch did not consider the fact that '~' was also used in testing
security. I don't really understand what '~' means in this case and
therefore, I don't know if my patch is still valid.
--
panic("aha1740.c"); /* Goodbye */
2.2.16 /usr/src/linux/drivers/scsi/aha1740.c
