[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)

On Wed, 24 May 2017, Scott Kitterman wrote:

> 
> 
> On May 24, 2017 1:24:07 AM EDT, Alexander Wirt <formorer@formorer.de> wrote:
> >On Wed, 24 May 2017, Scott Kitterman wrote:
> >
> >*snip*
> >
> >> I realize that socially, granting an exception for python-django
> >right now is 
> >> not ideal since the discuss first didn't happen, but I think
> >technically a 
> >> really good case can be made for python-django updates and I'd like
> >to try.
> >> 
> >> At this point in it's lifecycle, all Django 1.8 is getting is
> >security fixes.  
> >> The Django Project has a very defined policy about post release
> >maintenance 
> >> [1].  They also have a very extensive test suite that the package
> >runs for 
> >> both python and python3 at build time.
> >> 
> >> The most recent release had two CVE fixes.  As with all web
> >frameworks, it's 
> >> security history is not wonderful, but upstream is very responsive
> >about 
> >> addressing issues when they are identified for all supported
> >releases.  
> >> 
> >> As an LTS release, Django 1.8 is supported for security releases
> >until at 
> >> least April of 2018, which will be near the end of Jessie's support
> >window 
> >> (and two months of hand backporting patches if needed is not
> >typically 
> >> difficult - I'm doing it locally for Django 1.6 now).  If allowed to
> >continue 
> >> we can support this through Jessie's life.
> >Lets go a step further, what about after april 2018? jessie-backports
> >lifetime is til may 2020? 
> >
> >Alex
> 
> Now I'm confused.  I thought as a backporter my responsibility for oldstable was limited to the one year period after the new stable was released?  Are backporters responsible for LTS support too?
> 
> Even if that's the case, the LTS team will have to grab security fixes for Django 1.7 through the LTS support period.  Integrating those with Django 1.8 in jessie-backports should likely be simple enough.
Of course you are. And forward porting fixes from another release is even
less acceptable than using external LTS patches. So please think about another solution.

Alex

P.S. This is probably a general rule I can live with: if the release branch
of that specific software is supported til end of $backports-branch lifetime
using those security fixes should be fine. But I will have to talk to rhonda
first.
Reply to: