[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED

On Wed, May 24, 2017 at 11:54 AM, Rhonda D'Vine <rhonda@deb.at> wrote:
* Jan Ingvoldstad <frettled@gmail.com> [2017-05-24 11:37:49 CEST]:
> Basically: if you need security updates, don't rely on backports, don't put
> things in backports. The backport policy is incompatible with keeping
> systems up-to-date and secure.

 That's a highly unfair statement.  The backport policy is the reason
that maintainers are unwilling to update their backports?  Come on,
that's a very very low blow and not a constructive comment.

Well, let's look at what the Debian Security FAQ says:

"Q: How is security handled for unstable?
A: Security for unstable is primarily handled by package maintainers, not by the Debian Security Team. Although the security team may upload high-urgency security-only fixes when maintainers are noticed to be inactive, support for stable will always have priority. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.

Q: How is security handled for testing?

A: Security for testing benefits from the security efforts of the entire project for unstable. However, there is a minimum two-day migration delay, and sometimes security fixes can be held up by transitions. The Security Team helps to move along those transitions holding back important security uploads, but this is not always possible and delays may occur. Especially in the months after a new stable release, when many new versions are uploaded to unstable, security fixes for testing may lag behind. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable."

So, as a general principle, security updates are delayed, sometimes by two days, sometimes more.

Then we have similar issues as the ones raised by Raphael, where the life of the package maintainer is made difficult.

As a Debian user, I have learned not to use backports for anything important because, let's face it, I'm *toast* if I do so.

I have griped about the backports security policy years ago, and others have, too, but you and Alexander shoot any constructive criticism down with frankly very off-putting, negative, unconstructive responses.

This is why users tend to go to dotdeb and other external package repositories for updated packages. We do it for PHP, we do it for Puppet, we do it for MariaDB, MySQL, etc. The backports policy and/or the way backports are practically handled are in the way.

Until this changes, it's security 101 to stay away from backports, sorry.
--
Jan

Reply to: