On 31/08/18 23:46, Julien Cristau wrote:
Process questions are very much off-topic for this bug report, but...
On 08/30/2018 09:43 AM, Bjoern wrote:
As I am clearly unfamiliar with your processes, I really would
appreciate the clarification to better my understanding and perhaps
quell my concerns:
* How far away is the 9.6 point release (given that 9.5 was released
just over 1.5 months ago)?
The aim is to have point releases roughly every couple of months. In
practice anywhere between 2 to 4 is common.
* Why could the issue not be dealt with by simply supplying the fix in
the nearer term as a security update? Would it not be better to err on
the side of caution?
Any change in stable comes with risk (e.g. of regressions), it comes
with a cost both to the security team and to all users who need to apply
the update. So the security team and/or package maintainers make a
risk/cost vs benefit analysis for any given issue and decide whether to
leave it unfixed or fix it through in a point release or fix it through
security.debian.org.
Cheers,
Julien
Thanks for some follow up Julien and the guide concerning the point
release scheduling. My concerns do however remain in regard to this
libxcursor bug.
Does not the same risk/cost vs benefit analysis apply to old-stable
which did receive the patch in a security update?
Still unanswered though is my third and main query in my previous post,
quote:
" * I still would like to be pointed to the reference(s) and/or criteria
used by the Security Team to determine that the issue is non-exploitable
and a minor issue. I have searched around to find references regarding
CVE-2015-9262 being non-exploitable, but have so far not found anything
suggesting such - hence my request for a pointer."
Someone?
Kindest regards,
Bjoern.
