Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)
On Wed, 24 May 2017, Scott Kitterman wrote:
*snip*
> I realize that socially, granting an exception for python-django right now is
> not ideal since the discuss first didn't happen, but I think technically a
> really good case can be made for python-django updates and I'd like to try.
>
> At this point in it's lifecycle, all Django 1.8 is getting is security fixes.
> The Django Project has a very defined policy about post release maintenance
> [1]. They also have a very extensive test suite that the package runs for
> both python and python3 at build time.
>
> The most recent release had two CVE fixes. As with all web frameworks, it's
> security history is not wonderful, but upstream is very responsive about
> addressing issues when they are identified for all supported releases.
>
> As an LTS release, Django 1.8 is supported for security releases until at
> least April of 2018, which will be near the end of Jessie's support window
> (and two months of hand backporting patches if needed is not typically
> difficult - I'm doing it locally for Django 1.6 now). If allowed to continue
> we can support this through Jessie's life.
Lets go a step further, what about after april 2018? jessie-backports
lifetime is til may 2020?
Alex
Reply to: