Re: Maintaining intermediary versions in *-backports
> There are obviously rules to follow for the benefit of our users, and
> having to keep the package secure is one of them. But I don't see why
> you would enforce this only through the backport of the latest testing
> version when you have a maintainer that is willing to do the security
> work by tracking upstream point release of the initial version that
> entered stable-backports (regularly, aka as a true testing backport).
It strikes me that backports having a similar rule to stable would be
sensible. There is certainly no need to have rules for backports that are
stricter than those for stable.
Stable *does* accept new upstream versions and they *do not* go via testing;
they parachute in via stable-proposed-updates or stable/updates. It's only
for an incredibly small number of packages and for upstreams who are known
to genuinely only do well-tested security fixes in their LTS branches.
Effectively, this is *only* changing how the version number is managed:
cherry picked patches bundled as an LTS release with a version number that
looks like a.b.c-1 (for incremented c), rather than cherry picked patches
uploaded as a growing debian/patches with a version number that looks like
a.b.c-1+debXuY (for incremented Y).
As a user, I don't care whether c or Y changes in that version number. I
don't care if the patches are in the orig.tar.gz or in the diff.tar.xz which
is effectively the only distinction. As a user, I want the fixed binary
package.
Interesting data point: packages that are trusted to provide new upstream
versions into our stable releases include postgresql and python-django.
(Unrelated note: Debian also (grudgingly) swallows new upstream versions of
web browsers because we know that it's better to accept the newer version
with its security updates directly into stable than to hold on to a policy
about version numbers and keep vulnerable packages.)
--
Stuart Prescott http://www.nanonanonano.net/ stuart@nanonanonano.net
Debian Developer http://www.debian.org/ stuart@debian.org
GPG fingerprint 90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7
Reply to: