On 6/14/09, Francesco Poli wrote: > The security tracker is not useful to assess the security of a > particular box, but I think it's (or it should be) useful as a sort of > (auxiliary) to-do list for the security teams, telling which > vulnerabilities should be addressed with the greatest urgency and which > vulnerabilities are already fixed. > Or am I completely off-track?
yes, you are on the right track, but since the security team is not supporting testing right now, they likely aren't looking much at the testing pages on the secure-testing website. maybe there needs to be a big warning, "NOT SECURITY SUPPORTED", added to the testing pages making it clear that this is the case. > Debian sarge was released in June 2005. > I remember seeing the first DTSAs for etch in September 2005, if not > before (OK, that could not be considered as full security support for > testing, but it was better than nothing). > > Debian etch was released in April 2007. > I remember seeing the first DTSA for lenny in May 2007. > > Debian lenny was released in February 2009. > As of now (June 2009), I still have to see the first DTSA for squeeze. > > It seems to me that things are going worse for squeeze than for lenny... > There's lack of manpower, I know: but was there more manpower while > lenny was testing and etch was stable? the security team will push out DTSAs as they find the time (especially for latently vulnerable issues in ill-maintained packages), but that does not indicate the initiation of security support for that release. mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
