Todd said:
One thing I'd be wary of with pushing an update from testing just based on a timeout is how we'd know if anyone had bothered using it. I don't make use of ethereal on a regular basis, so just because I've updated my systems against updates-testing doesn't mean I've even picked up ethereal, let alone tested it at all.
How does this weigh against a package not getting released for months and a new worm appearing that exploits it?
If the vulnerability was that serious, there would be more people interested in testing the package. In the case of ethereal, it seems that not many people are interested in the package, hence the low interest in testing it.
I would rather sit on a package until it generates the necessary PUBLISH votes than release an un-tested package.
Again as I have mentioned before, I feel the ultimate decision is up to the bug-owner, and if they are not sure, gather feedback from list members. Just the process of gathering feedback will usually generate enough interest in a package to get someone to verify the package.
To get more potential testers, it would be extremely helpful to get an easy way for people to get test systems running. Myself, I only have access to some RH73 machines, and I took a look at UML, but the amount of setup to get a UML instance up put me off for a while.
-Dave
