On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery <r...@debian.org> wrote:
> >> The same people that maintain the packages in sid and stable: the > >> maintainer(s) for each package. [...] > > > That is not the case. At the moment most of this is done by the > > Debian security team. Of course some package maintainers do help. > > I consider it part of my responsibility as a package maintainer to provide > security support for my packages for as long as Debian does. If I felt > like I couldn't do that, I would orphan the package or look at having it > removed from Debian. I don't think there's any way that one team can > scale to providing security support for the entire archive; it's hard for > them to even track the existence of issues for the entire archive. > > That's exactly how I see it, glad to see I'm not alone :-) > My experience is that I can just barely manage to > convince upstreams to look over my backports of security patches to > packages in oldstable What makes you think Ubuntu, Red Hat, etc ask upstream to look at their security patches for old versions or even approve them? When I backport something, I send it to upstream as a courtesy, in case they want to release a patch version, not because I expect them to give me the OK -- Pau Garcia i Quiles http://www.elpauer.org (Due to my workload, I may need 10 days to answer)
