On Fri, 2007-12-28 at 22:36 +0100, Martin Zobel-Helas wrote: > On Fri Dec 28, 2007 at 22:10:08 +0100, Wolfgang Jeltsch wrote: > > However, I cannot see any security announcement for most of these. Were > > they > > updated because of the security fix for tar? If yes, why doesn’t the > > security announcement mention that updated versions are available also for > > those packages? > > see http://lists.debian.org/debian-announce/debian-announce-2007/msg00004.html
Martin, First, I (and many others) appreciate your and everyone else's work on Debian. That said, I too am confused by the latest Debian 4.0 release. It seems to me that, in the past, all Debian patches were released with DSAs (why patch w/o a DSA?), and that further updates to the core release (Potato, Sid, Sarge, Etch, etc) were only a roll-up of previously issued DSAs. I don't recall new functionality ever being added in a core release update bundle (although I could be wrong). Consider that some people, such as myself, only update servers based on review of public DSA statements. Yet now we find ourselves with multiple days of updates to multiple pkgs, but no corresponding DSA announcements to cross reference for validity (which can easily make one suspect a mirror has been hacked). Since I'm not the only one confused by the recent updates, can we get some clarification on this process please. Specifically, is it currently Debian policy to release non-critical pkg updates, i.e. releases without DSAs, in periodic core release rollups? (is this new or has it been so in the past?) Could Debian be better served by calling the rollup (including new non-critical updates) a new release (i.e 4.1)? Thank you for helping to clarify. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
