On Sat, 9 Sep 2017 21:16:36 +0200, Lukasz Jendrysik <sc...@yandex.com> wrote:
> Similar situation with Chromium etc. All of those packages exists in > newer versions in -current, but it's not an option in my case. > > I understand that -stable is not place for the latest packages > available and it's expected to be rock solid, but also secure. > So I wonder what is the policy in situation when updating to the > newer upstream version is more than recommended due the security > reasons. On -stable, we backport only security (or reliability) fixes, we don't do updates, because as Theo said, new code means new bugs. Sometimes though, upstream are kind enough to tag a release which contains only the patch (the latest one that comes to my mind is weechat 1.7.1), so it can look like an update but it's not an update. The problem is the same as everywhere, the people who can do it, don't care (because priorities) and people who care, won't do it. If you want to help, please send patches. About that I will just quote what sthen@ said in another thread: > - get the ports in great shape before sending them. [...]. portcheck > and lib-depends-check etc should either be clear or you should > explain why not. if you're already known for sending good clean > ports, people with a few minutes to spare will be more likely > to look at yours rather than someone else's... On Sat, 9 Sep 2017 23:24:38 +0200, Lukasz Jendrysik <sc...@yandex.com> wrote: > > Well the options are: Get involved and do the work, or watch. > How can I help in case when updated package is already in -current? I would suggest that you begin by looking at how previous irssi security problem were dealt with on -stable and try to do the same. Cheers, Daniel
