Pau Garcia i Quiles <pgqui...@elpauer.org> writes: > On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery <r...@debian.org> wrote:
>> My experience is that I can just barely manage to convince upstreams to >> look over my backports of security patches to packages in oldstable > What makes you think Ubuntu, Red Hat, etc ask upstream to look at their > security patches for old versions or even approve them? When I backport > something, I send it to upstream as a courtesy, in case they want to > release a patch version, not because I expect them to give me the OK Well, I suppose they might not, but I would find that even more disturbing. It's very easy to not actually fix the problem or to add new security holes in the process of fixing another problem, and the few times when I've had to fix security holes without any upstream review, it's made me very nervous. I'd really like security fixes to be vetted by people who are experts in that code base. Now, if the distribution packagers are experts, that's great; at that point, I consider them as something akin to part of upstream. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/874nakqifh....@windlord.stanford.edu
