Re: stable vs. testing: same versions, different status

["Michael S. Gilbert" <michael.s.gilbert@gmail.com>]

On Wed, 10 Jun 2009 00:47:08 +0200, Francesco Poli wrote:
> > this would be nice, but it is usually a short timeframe for which there
> > exist testing and stable versions that match.  i think it will
> > always have to be a manual process involving DTSAs.
> 
> Short time frame?
> I still see cases where squeeze and lenny versions of a package are
> identical and lenny was released back on February 14th...

relative to the 2 year release cycle, 4 months is a short time frame
(although i see your point since some packages remain almost unchanged
between releases, but they are few and far between).

> I think the above-described automatic mechanism would benefit testing
> security, especially in the first post-release times, i.e. when the
> testing-security team claims that no official testing security support
> can be provided!

the best course of action here is to use stable-security with a higher
pin-priority than testing; that way if testing still contains the
same version as stable, then you get the securitized version from
stable-security instead.

of course this is a less-than-desirable situation because most users
won't go through the trouble.  however, the security team is already
overtaxed, and stable security is much more important than testing so
far away from a release.

maybe the installer could automatically configure testing's sources.list
as described above to partially address the problem.

mike