On Wed, 10 Jun 2009 00:47:08 +0200, Francesco Poli wrote: > > this would be nice, but it is usually a short timeframe for which there > > exist testing and stable versions that match. i think it will > > always have to be a manual process involving DTSAs. > > Short time frame? > I still see cases where squeeze and lenny versions of a package are > identical and lenny was released back on February 14th...
relative to the 2 year release cycle, 4 months is a short time frame (although i see your point since some packages remain almost unchanged between releases, but they are few and far between). > I think the above-described automatic mechanism would benefit testing > security, especially in the first post-release times, i.e. when the > testing-security team claims that no official testing security support > can be provided! the best course of action here is to use stable-security with a higher pin-priority than testing; that way if testing still contains the same version as stable, then you get the securitized version from stable-security instead. of course this is a less-than-desirable situation because most users won't go through the trouble. however, the security team is already overtaxed, and stable security is much more important than testing so far away from a release. maybe the installer could automatically configure testing's sources.list as described above to partially address the problem. mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
