On Sat, Nov 20, 2010 at 6:16 PM, Kevin Kofler <kevin.kofler(a)chello.at> wrote:
But one of the main points of this subthread is that that waiting
way too long for some urgent fixes (security fixes, regression fixes etc.).
If it's really a regression, then you will have interested users who
will test from updates-testing and provide karma.
Security karma should come from the security team.
Also security updates should not have any other changes mixed in. If
it makes other changes take longer to get to stable (because the
update after the security update needs the security update as well as
the other updates that were queued up prior to the security update),
well that's just how it is.
So you have these package versions:
foo-2 is vulnerable to the exploit.
foo-2.1 is and update that does not contain any changes except what is
required to close the vulnerability.
foo-3 has changes from foo-2.1 as well as the other updates that were planned.
The idea is that you stop everything, make the security update based
on the latest stable package, and then submit the update for testing
(by the security team?). then you continue with your normal packaging