Re: webapps in stable release cyles Was: flashplugin-nonfree in Debian
[Dropping -release and -volatile]
Jan Wagner wrote:
> Hi Romain,
>
> On Wednesday 22 April 2009, Romain Beauxis wrote:
>> However, I wonder if this would need yet another archive, or just an
>> update of a policy, either in backports.org or volatile..
>
> DUNNO for volatile, but the ftp-master of bpo, which is actually doing the
> main work clarified, that don't like to be responsible for PHP based
> packages, which is the most potential languages of the applications which
> matches the criterias.
>
I think the situation is more or less (please pay attention to that, will
clarify later) that maintainers don't feel like doing the necessary work to
fix the issues as they are found. I'm in no way saying that they are lazy
or irresponsible, web apps are by nature more exposed to security threads
than most other kind of apps; at times upstreams are not helpful, at times
upstream lacks the necessary knowledge, at times it is the maintainer, at
times they are both, at times it is the scripting language as well.
But any app that won't be properly supported should not be shipped in a
stable release, and proposing yet another repository doesn't feel like the
right solution. Instead, in the perfect situation, maintainers should learn
more about the language of the application, the security implications,
detecting and fixing security issues, etc. so that they take care of their
packages.
The goal is to work towards improving, not just giving up by creating
another dump repo.
And since there are cases where it is not feasible or even doable to work
towards improving the security of the app because of upstream, those cases
should be re-considered and probably better removed. Re-writting is not
always a bad idea.
(No need to reply with messages such as "who is going to re-write it?";
please remain focused on the topic.)
Cheers,
Raphael Geissert
Reply to: