> We cannot feasibly provide security updates when there is more than one > version of the library in the archive. We do not, and probably never > will have, the required manpower. > > This applies to the nixos/guix solutions too -- we cannot expect our > security team to go around backporting patches to all the different > versions we're offering to users.
Yeah, I was expecting this point and I don't agree. Well, I do agree on it's being too much of a burden for us to backport all fixes to each version, but I do not agree on that being what we need to do. If we were to package applications as containers (not necessarily docker-style!) we could and should have different rules for those. Just see what people will do otherwise, use a Linux distribution and install manually and then, maybe, update when a fixed version of the application comes out. IMO we should do exactly the same and make sure the application containers get update to fixed version as and when possible. For users this means that get probably better security and easier deployment of whatever application they need to run. Obviously this needs to be clearly documented. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Meskes at (Debian|Postgresql) dot Org Jabber: michael at xmpp dot meskes dot org VfL Borussia! Força Barça! Go SF 49ers! Use Debian GNU/Linux, PostgreSQL
