On Tue, 2 Feb 2010 10:55:56 +0100 Jan Wagner <waja@cyconet.org> wrote: > Hi Andres, > > just some notes. > > On Tuesday 02 February 2010 04:36:12 Andres Salomon wrote: [...] > > This is all imho, of course. I'd just personally prefer to not > > have to deal w/ moving targets when using lenny-backports on my > > stable machines. > > Okay .... so lets summarize this point. There maybe different > expectations from backports. Some people may want recent versions of > some packages and other people want anything between this and a > stable distibution. Personly I don't have a general preference, cause > this may depend on the specific package. Exactly, it would be good to get clarification regarding this point. It affects my usage of bpo, both as a (lenny) user, and as an uploader. > > > > Speaking about security fixes, could you kindly update gtk+2.0 > > > for <http://osvdb.org/show/osvdb/61203>[1] and libtool for > > > DSA-1958-1? [1] > > > <http://security-tracker.debian.org/tracker/TEMP-0000000-000214> > > > > Sure, will get to that sometime this week (or weekend). > > Lets come back to the update on "an as-needed basis". This an good > example of the complete opposite what I did with dh-ocaml. I guess it > may be a result of missing tracking tools, but for both issues where > fixes available at least since december. > You can burn my at the pyre, but this is one of the major problems of > backporting. Uploaded packages with less or even without care (no, > I'm not talking about any special package). > Thanks Rhonda for doing the great security work of backports.org. I'll be the first to admit that I typically don't have time to track CVEs in my backported packages, nor in my sid/etch/lenny packages (the security team or someone else generally brings it to my attention). Given that, I typically encourage correctly-done NMUs and co-maintenance of packages. Tracking tools would be quite useful here, as well.
Attachment:
signature.asc
Description: PGP signature