martin f krafft <madd...@debian.org> writes: > also sprach Russ Allbery <r...@debian.org> [2013.01.24.1856 +1300]:
>> I always understood that I had a responsibility as a backporter to >> release security fixes as necessary, and if I wasn't going to do that, >> I shouldn't upload the backport in the first place. I handle backport >> security fixes exactly the way that I handle stable security fixes. > So if a software is at 1.0 in stable and you backported 1.1~bpo60.1 from > testing, and then a security flaw is found in all 1.x releases which was > fixed in 2.0, and meanwhile 2.2 is in testing, will you backport the > security fix to 1.1 and release 1.1~bpo60.2? Ah, yes, I should have said that I handle it the way that I handle testing security fixes, sorry. I view backports as a miniature version of the testing distribution for that particular package. When you install a package from backports, you effectively should get the testing version of just that one package, without having to upgrade the rest of your system. It sounds like you instead want backports to be a repository of specific useful versions of packages that are newer than the last stable. The problem with that approach is that it's much harder to maintain in a secure fashion than tracking testing for the package. (In fact, it's a potentially unbounded problem; every new feature release that was uploaded to backports could potentially need security fixes!) > I feel that more software goes through the backports archive because of > new features and updates that wouldn't pass our stable release policy, > than security fixes to previously backported software. True. But then that software does indeed have security bugs. > And yet, setting "ButAutomaticUpdates: yes" pretends that it's the other > way around. I think that's too strong. It says that, overall, ensuring people get software with security fixes is more important than ensuring that they get stable software. Some of the new packages are security-related, and some aren't, and there's no way to tell the difference. Also, I'll mention that back when backports wasn't configured for automatic updates, that was *the* most frequent request and point of user confusion on the backports list. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87libj81ne....@windlord.stanford.edu
