Re: Fwd: jessie backport for Wordpress
Hi there!
* Martin Steigerwald <martin@lichtvoll.de> [2015-06-02 23:36:09 CEST]:
> Craig, Rodrigo made a jessie-backport of Wordpress 4.2.2.
>
> And gave another good reason to have it available for Jessie users.
Actually, the reason is flawed in my opinion:
> ---------- Weitergeleitete Nachricht ----------
>
> Betreff: jessie backport for Wordpress
> Datum: Dienstag, 2. Juni 2015, 20:47:22
> Von: Rodrigo Campos <rodrigo@sdfg.com.ar>
> An: debian-backports@lists.debian.org
>
> Hi,
>
> I've uploaded to mentors a jessie backport of wordpress. It's from the
> version in sid (not in testing, waiting for some other package) so it should
> not be uploaded just yet. But the version in sid fixes some security issues,
> so I think it's pointless to upload an unfixed version.
>
> The wordpress support policy states that:
>
> "The only current officially supported version is WordPress 4.2.2.
> Previous major releases from 3.7 onwards may or may not get security
> updates as serious exploits are discovered."
>
> See here: https://codex.wordpress.org/Supported_Versions
>
> So, it's inevitably that the release shipped with jessie will stop to be
> maintained by wordpress and backporting the patches will be needed, making
> it a difficult task. This may cause some delay to fix some issues, and
> wordpress has had SERIOUS security issues in the past weeks. See for
> example[1].
So what you are saying that you want to use backports to get security
fixes to stable users. This is an abuse of the backports service. If
you don't want to fix the security issues in stable and if they are
serious I would suggest you to get the package removed from stable.
Fixes for security issues in stable do belong in stable and nowhere
else, because stable users expect packages to be fixed and maintained
there.
If that's not feasible you should consider getting the package removed
from stable because it sounds like it's unsupportable there (or noone
willing to do it, which comes down to the same). That on the other hand
is another convincing argument AGAINST having the package in backports,
because what should convince us of that the same handling wouldn't
appear again once stretch is out?
So once again (and I have written that over and over again on this
list): Do *not* abuse backports to get security fixes into stable,
because backports is *not* stable. If you need to get security fixes
done in stable, *do* they in stable. If that's not doable then please
consider removing the package from stable so that the workload on the
security team becomes bearable again.
> come to debian, and the wordpress support policy is limited to the last
> release, IMHO, it makes sense to backport it to jessie. Also, I'd really
> like to have the current wordpress version (or pretty close), so a backport
> seems appropriate for me.
The last sentece here is the *ONLY* reason you should consider doing a
backport for. The whole discussion (on the backports-team list before)
didn't even contain that sentence, so I'm very disturbed by your
approach which sounds like you have a big misunderstanding about what
backports is about and for.
Please let me know how you want to address the security issues for
stable before I consider having wordpress for backports approved. This
is crucial to me for understanding on how you plan to maintain and take
care of the package in the long run.
I can understand that this can (and will) come across pretty hard to
you. It's not meant harsh though and not to shut down your engagement,
but please understand what backports is for and don't abuse it.
Have fun!
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |
Reply to: