On 6/1/18 9:17 PM, Adrian Bunk wrote: > On Thu, May 31, 2018 at 10:36:27PM -0700, Jonathan Nieder wrote: >> ... >> I don't think most users of testing realize that >> they also need to include stable-backports in sources.list to get >> security fixes. >> ... > > No, this wouldn't get them all security fixes. > > It would only make a difference when the package with the security > fix is backported at all *and* the backport is done before the > package migrated to testing.
Which is unfortunately against the rules of backports, as well. Packages are supposed to enter testing before they are backported. [...] > testing (and even unstable) often get security fixes after stable, > and we should be honest about the fact that the security-supported > part of Debian is a subset of stable[1] without backports. I still wonder if there's some way we can make this better for testing users without resorting to a fatalistic attitude, though. ;-) In theory we know which unstable uploads contain security fixes because the security tracker says so. That'd allow us to flag them and potentially give them a higher priority to migrate. But it still doesn't help when manual work is required because they are stuck behind a transition. Kind regards Philipp Kern
signature.asc
Description: OpenPGP digital signature