Comment 82 for bug 40058

Rusty (rusty-curry) wrote :

As of today, still seeing this issue in Hardy. cpp, gcc in the updates today.

Particularly frustrating in that these are tools used to compile applications, and while I am sure that the package maintainers rebuilt their keys and authentication after the recent ssl/ssh fiasco, I'm really uncomfortable with compilers showing up without an explanation as to why this one is 'better' than the previous release. Along with the ssl/ssh vulnerability that showed up, getting this bug fixed would very much improve comfort, and trust in the process.

The saving grace at the moment is that these are only showing up in 'proposed' packages and not 'critical' from what I've seen. As a result the people most likely to encounter the problem are those who can find out for themselves what the update covers. However there's a roll-up coming down the pike and I think there are going to be people concerned very soon. Granted even then most people will not walk through the changelogs for all of the packages that get updated, but what happens when they see one or two packages that don't present a changelog and decide to wait on them till they do show a changelog, and never see it? It makes it look like packages are being distributed by someone who isn't familiar with the process.