On Sat, Dec 13, 2008 at 10:38:30AM +0100, Moritz Muehlenhoff wrote: > On 2008-12-13, Marcin Owsiany <porri...@debian.org> wrote: > > On Fri, Dec 12, 2008 at 11:37:35AM -0700, dann frazier wrote: > >> On Fri, Dec 12, 2008 at 08:53:43AM +0000, Marcin Owsiany wrote: > >> > On Thu, Dec 11, 2008 at 12:11:05PM -0700, dann frazier wrote: > >> > > On Thu, Dec 11, 2008 at 06:49:59PM +0000, Dominic Hargreaves wrote: > >> > > > On Thu, Dec 11, 2008 at 11:38:28AM -0700, dann frazier wrote: > >> > > > > Yes - 2.6.18 is in stable, and as such will be security supported > >> > > > > for > >> > > > > at least another year. Minor/local DoS security issues in the > >> > > > > kernel > >> > > > > are very frequent, so updated packages are constantly in > >> > > > > preparation. Preparing kernel updates is resource intensive so, > >> > > > > unless > >> > > > > there's a severe issue, etch users should expect 2.6.18 and 2.6.24 > >> > > > > updates to be staggered. > >> > > > > >> > > > Yup, that's pretty much what I expected to hear; thanks for > >> > > > confirming. > >> > > > > >> > > > May I make a suggestion that you include a comment along these lines > >> > > > in > >> > > > the advisory texts? It would help reassure users that things haven't > >> > > > been > >> > > > forgotten about greatly. > >> > > > >> > > Yes, this has been a FAQ since the release of etchnhalf. I'll see > >> > > about adding something to the text template. Does this look ok? > >> > > > >> > > Debian 'etch' includes linux kernel packages based upon both the > >> > > 2.6.18 and 2.6.24 linux releases. All known security issues are > >> > > carefully tracked against both packages and both packages will > >> > > receive security updates until security support for Debian 'etch' > >> > > ceases. However, given the high frequency at which low-severity > >> > > security issues are discovered in the kernel and the resource > >> > > requirements of doing an update, non-critical 2.6.18 and 2.6.24 > >> > > updates will typically release in a staggered or "leap-frog" > >> > > fashion. > >> > > >> > I'd suggest you add something more explicit, maybe: > >> > > >> > [fashion], that is when higher-severity issues are fixed. > >> > > >> > or something similar. > >> > >> Well, I don't think that's what I mean. High-severity fixes will > >> release as soon as possible - likely simultaneously. > > > > Well, that is what I meant as well, but my English is apparently not > > good enough to express it. I think there is a single fact that the > > reader should get from this: > > > > Low severity fixes often wait until there is a need for a high-severity fix. > > > > Does that sound better? > > Not quite, in case of an emergency release such as the vmsplice issue (where > the exploit was posted in the wild) the low severity issues will rather > be postponed to a followup DSA.
I don't think my sentence implies that they never wait _even_ longer than a high-severity fix. It just states they they wait. Anyway, all I'm trying to achieve is make that FAQ entry easy to understand for a non-native English speaker. -- Marcin Owsiany <porri...@debian.org> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org