security backports for removed packages
On Mon, Dec 12, 2016 at 01:06:42PM +0100, Rhonda D'Vine wrote:
> I fear we can't do this exception. And while I abssolutely understand
> that there is actual need for that (we are using virtualbox at work too,
> so I'm cutting myself here), I am sorry but backports is not the place
> for that.
>
> If you are self-hosting the packages, maybe the upcoming Debian
> specific PPAs will be the place, but if you are going to self-host the
> packages in the mean time pretty please let me/us (this mailinglist)
> know where you do so.
Anyway, I have a similar issue with mysql-5.6 which I backported due
to a local requirement earlier in the year.
Now that MySQL has been removed from testing, it's not clear what's
permitted. As it happens mysql-5.6 is still being maintained (just about)
in unstable, but I was unable to upload the backport of that for
reasons I don't understand[1]. My interpretation was that it was
permitted to upload versions not from testing if it was to fix security
issues, which that upload did.
It seems that you're interpreting the backports policy differently to
me, so perhaps https://backports.debian.org/Contribute/ should be updated
if the consensus is really that packages should be removed from packages
if they are removed from testing (and not planned to return).
I don't necessarily disagree with your interpretation, but it could
certainly be clearer if so.
If packages do get removed from backports, presumably a message should
be posted to debian-backports-announce too?
Side note: that list appears to be dead, which implies that
either backports is getting no security updates, or people are
forgetting to send out advisories or blocked from doing so (I recall
the last time I asked for a BSA in May I didn't get a response).
How can we fix this?
Cheers,
Dominic.
[1] <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2016-November/009979.html>
Reply to: