Web lists-archives.com

Re: What can Debian do to provide complex applications to its users?




On Tue, 20 Feb 2018, Vincent Bernat wrote:

>  ❦ 20 février 2018 09:05 +0200, Arto Jantunen <viiru@xxxxxxxxxx> :
> 
> >> Moreover, backports do not accept security patches. You can only push a
> >> version in testing (or unstable). Notably, if the version in testing is
> >> not easily backportable (because of new dependencies), you may wait
> >> quite some time before you get a security update.
> >
> > Also not true. You can request an exception to this for your security
> > update, but you do need to communicate about this with the backports
> > team before uploading.
> 
> Also? What was not true? The Debian Backports FAQ?
> 
> The exception you mention is not documented. It is also likely to just be
> rejected:
>  
>  http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/2017-November/002070.html
> 
> And the backport team has been pretty clear this is not the right way to
> maintain backports:
> 
>  https://lists.debian.org/debian-backports/2017/05/msg00059.html
That does mean we don't want that packages are "maintained" that way in
backports. For a one time security patch, you can always ask for an
exception. But this is just to give the maintainer more time to update the
backport with the new version from testing/unstable. 

So speaking as one of the backports ftpmasters:

No, backports doesn't have official security support in the meaning that
the team is tracking and looking after security issues in backports.
Nevertheless every backporter has to care about security, we do expect that
uploaders care about their packages - this does of course include security
support.

For some specific security problem, you can always talk with us about an
(short living) exception to give the maintainer more time and keep our users
save. 

What we don't want is people maintaining packages in that way in backports. 
Source of backports are testing/stable (for old-stable-backports) and in some
times (security) unstable. We do expect that every package follows those
suites. If a maintainer doesn't want/can this, backports is the wrong
place for maintaing that package.

Hope that helps

Alex - Backports ftp-master

Attachment: signature.asc
Description: PGP signature