I know I'm a bit late here but I should explain my case to serve as a data point for future decisions regarding backports.
We ship curl 7.74.0-1.2~bpo10+1 on buster-backports. Bullseye currently has 7.74.0-1.3+deb11u7. There are 20 CVE fixes between those two versions (besides other fixes), I could fix all of those with a simple rebuild for buster-backports (same package version), but that doesn't seem possible anymore. These CVE fixes can't land on buster directly as it has an older version of curl, and even if the package on main is fixed, the one on bpo is left vulnerable. Users of buster who would like to use buster-backports are risking the impact of these 20 CVEs due to the fact that we don't allow uploads anymore. I do understand it takes some effort to keep buster-backports alive and that not everyone will keep their packages up-to-date (at least I'm paying close attention to curl's CVEs). I'm not pushing for people to be required to maintain buster-bpo alive, just wanted to give a datapoint on how useful it would have been in the case of curl. This also lead me to think it would be great to have something looking into every stable/security upload and checking if there's a bpo package which should get the same changes (It seems safe to say every stable/security uploads should go to bpo if there's a package there[0]). [0] In some cases the bpo packages need changes to accommodate for the older base, but these deltas should stay the same in the new rebuild in 99% of the cases. -- Samuel Henrique <samueloph>
