Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)

To: debian-backports@lists.debian.org
Subject: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)
From: Scott Kitterman <debian@kitterman.com>
Date: Wed, 24 May 2017 00:28:14 -0400
Message-id: <[🔎] 5177958.Uy5XxIlxqR@kitterma-e6430>
In-reply-to: <[🔎] 20170524040949.6d4flosakcxhzce2@lisa.snow-crash.org>
References: <E1dDBZF-0005ji-5b@fasolo.debian.org> <[🔎] 9AAF6EE4-2BCA-4735-AC45-CA7752036E02@kitterman.com> <[🔎] 20170524040949.6d4flosakcxhzce2@lisa.snow-crash.org>

> On Tue, 23 May 2017, Scott Kitterman wrote:
> > On May 23, 2017 5:28:04 PM EDT, Alexander Wirt <formorer@formorer.de> 
wrote:
...
> > There are security fixes in this upload.  What's the way to get those
> > fixed?  Backporting 1.10 isn't an option because it is incompatible with
> > many other packages.
> > 
> > Would cherry-picked security fixes be okay?
> 
> The policy is pretty clear. Backporting 1.10 and backport the other packages
> too.
> 
> It is maybe a problem and maybe we should get the policy changed - I
> personally don't think too. I don't wan't software that isn't in testing in
> backports - but doing it behinds our back is not an option.
> 
> Alex

OK.  Let's try and step away from this one instance for a moment and discuss 
what makes sense for policy for backports.

It does happen that changes get into testing that make it impractical to do 
further backports (in the case at hand it potentially impacts 125 packages, I 
would consider that impractical, but I suppose not everyone would agree).  
Regardless of python-django, I think there are going to be cases where 
updating from testing will no longer be feasible.

If a severe bug is present in the backported package and updates via testing 
aren't feasible, what's the right answer?  I can think of three options, none 
of them ideal:

1.  Remove the backport.  Per the policy, backports are supposed to be 
supported and supportable for the life a release.  If that's no longer true, 
it should be removed.  While this gets the buggy package out of the archive 
and prevents new installs, it does nothing for users that have previously 
installed the package.

2.  Leave the bug unaddressed.  Depending on the severity of the issue, this 
may be the best answer.

3.  Allow fixes to be added to existing backports packages to address severe 
(including security) bugs.  This breaks the backport from testing paradigm and 
is sure to get abused by some, but in cases where it is no longer feasible to 
update the backport, it may be the only answer.

As you can probably guess from the way I wrote them up, I favor choice 3 and 
would like to see about getting the policy updated to explicitly allow it.  As 
a concept, does that seem reasonable to you?

Scott K

Reply to:

Follow-Ups:
- Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)
  - From: Alexander Wirt <formorer@formorer.de>

References:
- Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED
  - From: Scott Kitterman <debian@kitterman.com>
- Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED
  - From: Alexander Wirt <formorer@formorer.de>

Prev by Date: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED
Next by Date: Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)
Previous by thread: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED
Next by thread: Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)
Index(es):
- Date
- Thread