Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED
- To: Jan Ingvoldstad <frettled@gmail.com>
- Cc: Adrian Bunk <bunk@debian.org>, Alexander Wirt <formorer@formorer.de>, Scott Kitterman <debian@kitterman.com>, debian-backports@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>, debian-admin@lists.debian.org
- Subject: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED
- From: Raphael Hertzog <hertzog@debian.org>
- Date: Wed, 24 May 2017 11:55:45 +0200
- Message-id: <[🔎] 20170524095545.ofrazxqhhwemei62@home.ouaza.com>
- Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Jan Ingvoldstad <frettled@gmail.com>, Adrian Bunk <bunk@debian.org>, Alexander Wirt <formorer@formorer.de>, Scott Kitterman <debian@kitterman.com>, debian-backports@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>, debian-admin@lists.debian.org
- In-reply-to: <[🔎] CAEffzkxnoVgKCEX67F9MQee0ienvE0oAQ5PRvMFAgdw4xo-abA@mail.gmail.com>
- References: <E1dDBZF-0005ji-5b@fasolo.debian.org> <[🔎] 20170523155431.djcji5wm3rypwf52@home.ouaza.com> <[🔎] 20170523212804.mwt3fmjof6k4sgx7@smithers.snow-crash.org> <[🔎] 9AAF6EE4-2BCA-4735-AC45-CA7752036E02@kitterman.com> <[🔎] 20170524040949.6d4flosakcxhzce2@lisa.snow-crash.org> <[🔎] 20170524082519.os6k2k2iz5wxsvxr@home.ouaza.com> <[🔎] 20170524085321.ynod3xdjoaaxp4ph@localhost> <[🔎] 20170524090141.3fw33fiwxifj2bll@home.ouaza.com> <[🔎] 20170524091721.dzwwrj7ommii3n4g@localhost> <[🔎] CAEffzkxnoVgKCEX67F9MQee0ienvE0oAQ5PRvMFAgdw4xo-abA@mail.gmail.com>
On Wed, 24 May 2017, Jan Ingvoldstad wrote:
> Basically: if you need security updates, don't rely on backports, don't put
> things in backports. The backport policy is incompatible with keeping
> systems up-to-date and secure.
[...]
> I strongly recommend not using backports for anything else, and certainly
> not in production.
This is not in line with DSA's policy. If we need anything newer than
stable for a service hosted by DSA, then we have to use packages in
stable-backports.
This is because backports maintainers are expected to keep the packages
they upload there as secure.
If the rules are not allowing us to do that, then the rules are bad.
That said, just because we need something newer and secure, does not mean
that we always want to track every major update from testing during the
whole lifetime of stable-backports.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: