Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)
On May 24, 2017 1:24:07 AM EDT, Alexander Wirt <formorer@formorer.de> wrote:
>On Wed, 24 May 2017, Scott Kitterman wrote:
>
>*snip*
>
>> I realize that socially, granting an exception for python-django
>right now is
>> not ideal since the discuss first didn't happen, but I think
>technically a
>> really good case can be made for python-django updates and I'd like
>to try.
>>
>> At this point in it's lifecycle, all Django 1.8 is getting is
>security fixes.
>> The Django Project has a very defined policy about post release
>maintenance
>> [1]. They also have a very extensive test suite that the package
>runs for
>> both python and python3 at build time.
>>
>> The most recent release had two CVE fixes. As with all web
>frameworks, it's
>> security history is not wonderful, but upstream is very responsive
>about
>> addressing issues when they are identified for all supported
>releases.
>>
>> As an LTS release, Django 1.8 is supported for security releases
>until at
>> least April of 2018, which will be near the end of Jessie's support
>window
>> (and two months of hand backporting patches if needed is not
>typically
>> difficult - I'm doing it locally for Django 1.6 now). If allowed to
>continue
>> we can support this through Jessie's life.
>Lets go a step further, what about after april 2018? jessie-backports
>lifetime is til may 2020?
>
>Alex
Now I'm confused. I thought as a backporter my responsibility for oldstable was limited to the one year period after the new stable was released? Are backporters responsible for LTS support too?
Even if that's the case, the LTS team will have to grab security fixes for Django 1.7 through the LTS support period. Integrating those with Django 1.8 in jessie-backports should likely be simple enough.
Scott K
Reply to: