On Thu, Feb 22, 2018 at 02:57:07PM +0100, Raphael Hertzog wrote:
> But assuming that we keep updates hosted on some debian.org host, do you
> think it's OK to continue to use the security tracker to track
> vulnerabilities in wheezy?
Need to be discussed with the rest of the team, I'm not really
enthuasiastic; if this only supports a subset of the archive this would
clutter the tracker data quite a bit (lots of spurious <end-of-life>
entries e.g.)
The security tracker is fairly flexible and it should take little
effort to setup a separate instance which is based on the main
data/our triage efforts while acting on a local Packages file.
Ideally document this process publicly, so that others can also run
a local security tracker if they operate a local repository.
> And indeed if we prepare the infrastructure for this by finding a way
> to host the updates for wheezy for longer than expected, we pave the
> way for CIP to take over security maintenance of our old releases.
It's two entirely different things, though. CIP intends to create
a pool of common packages used by embedded vendors, while the extended
LTS proposal extends the lifetime of a regular Debian release (for
the demands of a specific group of users).
Cheers,
Moritz
