Florian Weimer wrote:
* Some upstream authors do not provide specific security fixes (PHP,
Mozilla, GNU libc). Sometimes, no backports for the version in
stable are available, and the packages are too complex that we can
prepare them in a reasonable timeframe.
* Some fixes are very invasive (because they address design issues)
and thus impossible to backport.
* security.debian.org is a single point of ownership. If we push
out a malicious security update, really interesting things might
happen.
That's why it might be good to have a second, distinct security path
("security essentially managed by upstream") (or whichever other path
will be available). Integrated in the packet management system, but
maybe with non-automatic upgrades ("New upgrades available -- do you
want package X ?"), or automatic at the discretion of the trusting user.
From a user point of view, I'd appreciate if the debian team could
ensure that no data is lost while doing such upgrades. E.g., I'm not
sure that while upgrading from one mozilla version to the next, every
user data (profile, mail, plugins etc.) is always correctly imported. In
such a case, perhaps the team could provide the necessary conversion
scripts, urge such improvements from upstream, or both.
Peer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
