Kurt Roeckx <k...@roeckx.be> writes: > The alternative is that I go and cherry pick the important bug > fixes. By this time there are really a lot that I would like to > have in the stable releases and I think going that way actually > has a higher chance of breaking things.
We've run into this before a number of times, and always end up scratching our head about what to do. Here's my thinking. While I generally agree with the notion that we should feature-perturb stable as little as possible, with software that gets intense upstream scrutiny (which openssl does now thanks to the LF CII, etc), it often seems lower risk to me to just accept a new upstream version than to do this sort of ad-hoc cut and paste activity to back-port security fixes. In this case, I'd be inclined to let the new version in. Bdale
signature.asc
Description: PGP signature
