Re: Fwd: jessie backport for Wordpress

To: Rhonda D'Vine <rhonda@deb.at>
Cc: Martin Steigerwald <martin@lichtvoll.de>, debian-backports@lists.debian.org
Subject: Re: Fwd: jessie backport for Wordpress
From: Craig Small <csmall@debian.org>
Date: Fri, 12 Jun 2015 21:22:10 +1000
Message-id: <[🔎] 20150612112210.GE8161@enc.com.au>
Mail-followup-to: Craig Small <csmall@debian.org>, Rhonda D'Vine <rhonda@deb.at>, Martin Steigerwald <martin@lichtvoll.de>, debian-backports@lists.debian.org
In-reply-to: <[🔎] 20150603061628.GA20165@anguilla.debian.or.at>
References: <[🔎] 6218841.8A9vZTVek9@merkaba> <[🔎] 20150603061628.GA20165@anguilla.debian.or.at>

On Wed, Jun 03, 2015 at 08:16:28AM +0200, Rhonda D'Vine wrote:
>  So once again (and I have written that over and over again on this
> list): Do *not* abuse backports to get security fixes into stable,
> because backports is *not* stable.  If you need to get security fixes
> done in stable, *do* they in stable.  If that's not doable then please
> consider removing the package from stable so that the workload on the
> security team becomes bearable again.
There might be some confusion on the term backport perhaps? It's the
only explanation for all of.. this.

Essentially, jessie has patches backported from sid where there are
security fixes. These fix errors in code but they cannot touch the
database or other things tied to the upstream version because that
doesn't change. For example, 4.1-deb8u2 removed the genericons
example files out of shipped theme packs, but couldn't do a search
for these same files in other non-Debian themes because that needs
a wordpress version change.

So if you looked at the patches between 4.2 to 4.2.2 and
4.1 to the 4.1 in jessie (currently deb8u2) the changes are very close.
That's the backport of security patches from sid to jessie-updates
happening.

The other use of backports is the distribution is this is where a more
modern version of wordpress will hopefully be installed. Now this does
have the fixes, sure (there is a correlation between 4.1,4.1.1,etc and
4.2,4.2.1,etc) but it does more than that.

>  Please let me know how you want to address the security issues for
> stable before I consider having wordpress for backports approved.  This
> is crucial to me for understanding on how you plan to maintain and take
> care of the package in the long run.
The security issues for wordpress are solved, the stable version of
wordpress is maintained. There is often a delay of a few days between
sid being updated and stable, but thats because its harder to pick
patches than just import an upstream file.

Now, I'm not sure what happens if there is a new security bug and
backports has a different version to the standard stable.

 - Craig

-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Reply to:

Follow-Ups:
- Re: Fwd: jessie backport for Wordpress
  - From: Rodrigo Campos <rodrigo@sdfg.com.ar>

References:
- Fwd: jessie backport for Wordpress
  - From: Martin Steigerwald <martin@lichtvoll.de>
- Re: Fwd: jessie backport for Wordpress
  - From: Rhonda D'Vine <rhonda@deb.at>

Prev by Date: Re: Fwd: jessie backport for Wordpress
Next by Date: Re: Fwd: jessie backport for Wordpress
Previous by thread: Re: Fwd: jessie backport for Wordpress
Next by thread: Re: Fwd: jessie backport for Wordpress
Index(es):
- Date
- Thread