Subject: Re: dependencies & security vulnerabilities
To: Malcolm Herbert <email@example.com>
From: Greg Troxel <firstname.lastname@example.org>
Date: 08/01/2005 08:49:04
I agree with the sentiment here, but how do you intend to distinguish
between two versions of a particular pre-compiled package with the same
version number where one is secure and the other not?
I'm 99.9% sure that
Everyone thinks PKGREVISION++ is appropriate for the package
for which a security fix is applied, because bumping PKGREVISION is
appropriate for any significant change. Certainly the version has
to change so audit-packages can function properly.
If a package's ABI changes, then PKGREVISION should be bumped in
packages that depend on the package:
The issue at hand is whether to bump PKGREVISION for depending
packages when there is a security fix but no ABI change.
Greg Troxel <email@example.com>