On Wed, 07 Nov 2012, Thijs Kinkhorst wrote: > I think we should do this only when it has been shown that applying the > fixes to the current version in stable(-security) is infeasible. Suppose > now a simple XSS is discovered, I would be very much in favour to just > apply that fix.
I would as well. The trouble is that contrary to Django (for example), upstream is not pointing out which commits are security relevant and which versions are affected or not. And there's zero support for older versions. So we're on our own (and I'm not going to do all those investigations by myself). Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121107093915.ga14...@x230-buxy.home.ouaza.com
