On Thu, Oct 20, 2016 at 14:26:41 +0000, Holger Levsen wrote: > On Thu, Oct 20, 2016 at 03:59:53PM +0200, Santiago Vila wrote: > > But I'm a little bit surprised that the whole story begins in wheezy LTS. > > Should this not start in unstable with a bug report? > > this often happens when there was a CVE with or without a bug filed and > noone uploaded a fix. then, at some point, the LTS team comes around and > is paid to fix this in LTS… > > I also think it would be better to always (well, unless the package is > gone) make sure this is fixed in unstable first and then in LTS but I > dont think this is an individual question but rather think this should > be addressed by implementing it as mandatory part of the LTS workflow. > Yes please. The amount of QA you can do pre-release on wheezy updates is presumably fairly limited. Having patches tested in unstable in the (presumably not that rare) cases where the backport isn't the most difficult/risky part of fixing the bug seems like it would benefit everyone, except for maybe delaying your payments a bit. (My pet peeve here are the recent libx* CVEs, which aren't critical, and where the patches are tricky enough that regressions aren't exactly unlikely. Maybe that's rare. I don't think it is.)
Cheers, Julien
