On Sat, Aug 31, 2013 at 5:57 PM, Michael Gilbert wrote:
I've been meaning to add more informative info to the security-tracker
about end-of-lifed packages. Right now you can see that info in the
raw tracker data, but the generate web pages don't make that clear at
all.
Is the raw tracker
❦ 1 septembre 2013 12:04 CEST, Paul Wise p...@debian.org :
http://anonscm.debian.org/viewvc/secure-testing/data/package-tags?view=co
As far as I can tell users are very unlikely to notice this. The tags
are exported to the Packages files in wheezy but apt doesn't do
anything with that
On Sun, Sep 1, 2013 at 6:04 AM, Paul Wise wrote:
On Sat, Aug 31, 2013 at 5:57 PM, Michael Gilbert wrote:
I've been meaning to add more informative info to the security-tracker
about end-of-lifed packages. Right now you can see that info in the
raw tracker data, but the generate web pages
On Tue, Aug 27, 2013 at 4:50 PM, Pau Garcia i Quiles wrote:
On Tue, Aug 27, 2013 at 7:18 PM, Russ Allbery wrote:
IMHO the Security Team should not act as fixers themselves but more as
proxies, passing information about a security issue to the maintainer of
the package.
And what happens
On Tue, Aug 27, 2013 at 9:58 AM, Simon McVittie wrote:
On 27/08/13 14:32, Pau Garcia i Quiles wrote:
What do you do with the 1 year of support Debian currently gives to
oldstable? It's also 1 year you stopped using that version, so no
technical challenge either.
There does need to be some
On Thu, Aug 29, 2013 at 05:31:26PM +0200, Ondřej Surý wrote:
So properly maintaining our stable/oldstable is a mandatory first step into
being
able to provide even longer support for random release we start to call the
LTS.
Whether we achieve that by throwing more manpower into the bunch,
Hi,
On Tue Aug 27, 2013 at 02:11:56 +0200, Thomas Goirand wrote:
On 08/26/2013 12:33 PM, Neil McGovern wrote:
I'm hoping that these raising of hands are also offers to help do the
work to make it happen.
Guys, if you want it to happen, raise your hands *now* like Gustavo did.
On Thu, Aug 29, 2013 at 11:59 AM, Martin Zobel-Helas wrote:
I am raising my hand here. I am willing to support the debian security
team. I will be able to do that during my paid work time, as my
employer, credativ, is backing this.
Mid-term goal should be a Debian LTS version, but we can
On Wed, Aug 28, 2013 at 04:33:38PM +0200, Ondřej Surý wrote:
On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes mes...@debian.org wrote:
Anyhow, I doubt we can reasonably expect to maintain *all* packages for a
longer
period. How about starting with a defined list of packages that we do care
On Thu, Aug 29, 2013 at 2:08 PM, Michael Meskes mes...@debian.org wrote:
On Wed, Aug 28, 2013 at 04:33:38PM +0200, Ondřej Surý wrote:
On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes mes...@debian.org
wrote:
Anyhow, I doubt we can reasonably expect to maintain *all* packages
for a
On 08/27/2013 06:53 AM, Pau Garcia i Quiles wrote:
stable. Having a team of people like Mike, Michael, Gustavo, me, etc
to take care of EVERY package is plain impossible, especially if we
want 5 years
i didn't say EVERY package i say the packages we care about
we simply don't have the
On Ma, 27 aug 13, 10:18:53, Russ Allbery wrote:
Alternately, we could be far more aggressive about removing packages from
oldstable, I suppose, but I don't think that's a good idea; that just
leaves our users with exactly the sorts of choices that we're trying to
avoid. I think it's much
Bastien ROUCARIES writes (Re: Longer maintainance for (former) stable releases
of Debian (Re: Dreamhost dumps Debian)):
Le 27 août 2013 19:32, Ian Jackson ijack...@chiark.greenend.org.uk a
écrit :
Worse: in practice, removing packages is invisible to the users and
their package manager
Ian Jackson writes (Re: Longer maintainance for (former) stable releases of
Debian (Re: Dreamhost dumps Debian)):
Bastien ROUCARIES writes (Re: Longer maintainance for (former) stable
releases of Debian (Re: Dreamhost dumps Debian)):
Why not un this case creating an empty package depending
On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote:
I don't really understand it myself as server packages and their
dependencies tend to be stable and I tend to want the latest versions of
dovecot, unbound etc..
However perhaps there is a divide here between servers which want
On Wed, Aug 28, 2013 at 4:29 PM, Michael Meskes mes...@debian.org wrote:
On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote:
I don't really understand it myself as server packages and their
dependencies tend to be stable and I tend to want the latest versions of
dovecot,
On Wed, Aug 28, 2013 at 04:29:08PM +0200, Michael Meskes wrote:
On Tue, Aug 27, 2013 at 07:52:33PM +0100, Kevin Chadwick wrote:
I don't really understand it myself as server packages and their
dependencies tend to be stable and I tend to want the latest versions of
dovecot, unbound etc..
On Wed, Aug 28, 2013 at 4:55 PM, Neil McGovern ne...@debian.org wrote:
I think you have a very valid point here. I kind of doubt many people
would
like to run on a five year old desktop.
Stats seem to disagree:
On Wed, Aug 28, 2013 at 12:47 PM, Ian Jackson
ijack...@chiark.greenend.org.uk wrote:
Ian Jackson writes (Re: Longer maintainance for (former) stable releases of
Debian (Re: Dreamhost dumps Debian)):
Bastien ROUCARIES writes (Re: Longer maintainance for (former) stable
releases of Debian (Re
On Tue, Aug 27, 2013 at 02:11:56AM +0200, Thomas Goirand wrote:
Guys, if you want it to happen, raise your hands *now* like Gustavo did.
Otherwise, please everyone: let this thread die and never raise the
topic again in this list.
Raising my hand here ...
Michael
--
Michael Meskes
Michael at
On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes mes...@debian.org wrote:
Guys, if you want it to happen, raise your hands *now* like Gustavo did.
Otherwise, please everyone: let this thread die and never raise the
topic again in this list.
Raising my hand here ...
One more hand.
But
On Tue, Aug 27, 2013 at 11:53:47AM +0200, Pau Garcia i Quiles wrote:
But I'd like to stress we need *all* developers to be involved fix bugs
(esp. security) in their packages in all the supported releases, not only
in current-stable.
I am afraid I am not on board for this. I do not agree with
On Tue, 2013-08-27 at 11:53 +0200, Pau Garcia i Quiles wrote:
On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes mes...@debian.org
wrote:
Guys, if you want it to happen, raise your hands *now* like
Gustavo did.
Otherwise, please everyone: let this thread die and
On Tue, Aug 27, 2013 at 11:41:58AM +0100, Ben Hutchings wrote:
The challenge was: who is willing to do the work. Your answer is: me,
but only everyone else helps.
That doesn't answer the challenge at all.
It's hard enough to get maintainers to fix bugs in current stable
(backporting can
On Tue, Aug 27, 2013 at 11:41:58AM +0100, Ben Hutchings wrote:
The challenge was: who is willing to do the work. Your answer is: me,
but only everyone else helps.
That doesn't answer the challenge at all.
Agreed.
It's hard enough to get maintainers to fix bugs in current stable
On Tue, Aug 27, 2013 at 2:09 PM, Neil McGovern n...@halon.org.uk wrote:
Indeed. Look at the security team for example. In theory, if all
maintainers cared enough about the older packages, we woudn't need the
level of people we currently do.
IMHO the Security Team should not act as fixers
On 08/27/2013 11:53 AM, Pau Garcia i Quiles wrote:
On Tue, Aug 27, 2013 at 10:56 AM, Michael Meskes mes...@debian.org
mailto:mes...@debian.org wrote:
Guys, if you want it to happen, raise your hands *now* like
Gustavo did.
Otherwise, please everyone: let this thread die
On Tue, Aug 27, 2013 at 12:03 PM, Lars Wirzenius l...@liw.fi wrote:
On Tue, Aug 27, 2013 at 11:53:47AM +0200, Pau Garcia i Quiles wrote:
But I'd like to stress we need *all* developers to be involved fix bugs
(esp. security) in their packages in all the supported releases, not only
in
On 08/27/2013 12:41 PM, Ben Hutchings wrote:
It's hard enough to get maintainers to fix bugs in current stable
(backporting can be difficult, and some just don't care), let alone
another 3 years of LTS.
Ben.
I agree with what you wrote above Ben. Though that is not in a direct
relation with
On 08/27/2013 02:28 PM, Michael Meskes wrote:
Which brings up the interesting question how it works for stable now. How
often
do bigs get fixed by the security team and how often by maintainers
themselves?
How much work is this for the security team? Yes, I know, the older the
software
On 27/08/13 14:32, Pau Garcia i Quiles wrote:
What do you do with the 1 year of support Debian currently gives to
oldstable? It's also 1 year you stopped using that version, so no
technical challenge either.
There does need to be some amount of overlap, because people can't
necessarily upgrade
Pau Garcia i Quiles pgqui...@elpauer.org writes:
IMHO the Security Team should not act as fixers themselves but more as
proxies, passing information about a security issue to the maintainer of
the package.
And what happens then if the maintainer doesn't respond?
If we're going to offer
Russ Allbery writes (Re: Longer maintainance for (former) stable releases of
Debian (Re: Dreamhost dumps Debian)):
If we're going to offer meaningful security support, we have to have a
bug-fixer of last resort, and that's the party most stressed by extending
security support. Particularly
Alternately, we could be far more aggressive about removing packages from
oldstable, I suppose, but I don't think that's a good idea; that just
leaves our users with exactly the sorts of choices that we're trying to
avoid. I think it's much cleaner and better for our users to offer full
Le 27 août 2013 19:32, Ian Jackson ijack...@chiark.greenend.org.uk a
écrit :
Russ Allbery writes (Re: Longer maintainance for (former) stable
releases of Debian (Re: Dreamhost dumps Debian)):
If we're going to offer meaningful security support, we have to have a
bug-fixer of last resort
On Tue, Aug 27, 2013 at 7:18 PM, Russ Allbery r...@debian.org wrote:
IMHO the Security Team should not act as fixers themselves but more as
proxies, passing information about a security issue to the maintainer of
the package.
And what happens then if the maintainer doesn't respond?
Then,
Michael Meskes mes...@debian.org schrieb:
Which brings up the interesting question how it works for stable now. How
often
do bigs get fixed by the security team and how often by maintainers
themselves?
No hard numbers, but I'd suppose half and half (i.e. cases, where the maintainer
prepared
Hi All,
On 08/26/2013 09:31 AM, Mike Gabriel wrote:
Hi Charles,
On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote:
Altogether, it is a lot of work, but if we have enough people for
doing it, think that it would be very positive for us.
/me raises his hand for giving his work for
On Mon, Aug 26, 2013 at 11:14:25AM +0200, Balint Reczey wrote:
Hi All,
On 08/26/2013 09:31 AM, Mike Gabriel wrote:
Hi Charles,
On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote:
Altogether, it is a lot of work, but if we have enough people for
doing it, think that it would be
On 08/26/2013 07:33 AM, Neil McGovern wrote:
I'm hoping that these raising of hands are also offers to help do the
work to make it happen.
i offer help, we are interested on longer maintenance for some packages.
i think we should start to coordinate, if is anybody else willing to
help with the
gustavo panizzo gfa schrieb am Monday, den 26. August 2013:
On 08/26/2013 07:33 AM, Neil McGovern wrote:
I'm hoping that these raising of hands are also offers to help do the
work to make it happen.
i offer help, we are interested on longer maintenance for some packages.
i think we should
On 26/08/13 at 10:00 -0300, gustavo panizzo gfa wrote:
On 08/26/2013 07:33 AM, Neil McGovern wrote:
I'm hoping that these raising of hands are also offers to help do the
work to make it happen.
i offer help, we are interested on longer maintenance for some packages.
i think we should start
Lucas Nussbaum schrieb am Monday, den 26. August 2013:
On 26/08/13 at 10:00 -0300, gustavo panizzo gfa wrote:
On 08/26/2013 07:33 AM, Neil McGovern wrote:
I'm hoping that these raising of hands are also offers to help do the
work to make it happen.
i offer help, we are interested on
Long-term support of stable releases was one of the reasons for the
debian-companies@ initiative. I'm Ccing Michael Meskes, who is
interested in coordinating this initiative.
JFTR Coordination of LTS support should not go through a closed list.
And I don't think anyone suggested that. The
On Mon, Aug 26, 2013 at 09:31:06AM +0200, Mike Gabriel wrote:
Hi Charles,
On Di 20 Aug 2013 02:04:40 CEST Charles Plessy wrote:
Altogether, it is a lot of work, but if we have enough people for
doing it, think that it would be very positive for us.
/me raises his hand for giving his
On 26.08.2013 20:14, Andrew M.A. Cater wrote:
Ubuntu LTS - five years support but presumes nothing changes and you then
find huge problems moving to the next LTS because the
intervening releases have disappeared ...
You don't need the intervening releases, Ubuntu recommends doing
LTS-LTS
On 08/26/2013 12:33 PM, Neil McGovern wrote:
I'm hoping that these raising of hands are also offers to help do the
work to make it happen.
Neil
Which is why there's only a single person that replied to my workflow
proposal ... to criticize my idea to do it on a separate infrastructure,
but
47 matches
Mail list logo