[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Maintaining intermediary versions in *-backports



> There are obviously rules to follow for the benefit of our users, and
> having to keep the package secure is one of them. But I don't see why
> you would enforce this only through the backport of the latest testing
> version when you have a maintainer that is willing to do the security
> work by tracking upstream point release of the initial version that
> entered stable-backports (regularly, aka as a true testing backport).

It strikes me that backports having a similar rule to stable would be 
sensible. There is certainly no need to have rules for backports that are 
stricter than those for stable.

Stable *does* accept new upstream versions and they *do not* go via testing; 
they parachute in via stable-proposed-updates or stable/updates. It's only 
for an incredibly small number of packages and for upstreams who are known 
to genuinely only do well-tested security fixes in their LTS branches. 
Effectively, this is *only* changing how the version number is managed: 
cherry picked patches bundled as an LTS release with a version number that 
looks like a.b.c-1 (for incremented c), rather than cherry picked patches 
uploaded as a growing debian/patches with a version number that looks like 
a.b.c-1+debXuY (for incremented Y).

As a user, I don't care whether c or Y changes in that version number. I 
don't care if the patches are in the orig.tar.gz or in the diff.tar.xz which 
is effectively the only distinction. As a user, I want the fixed binary 
package.

Interesting data point: packages that are trusted to provide new upstream 
versions into our stable releases include postgresql and python-django.

(Unrelated note: Debian also (grudgingly) swallows new upstream versions of 
web browsers because we know that it's better to accept the newer version 
with its security updates directly into stable than to hold on to a policy 
about version numbers and keep vulnerable packages.)



-- 
Stuart Prescott    http://www.nanonanonano.net/   stuart@nanonanonano.net
Debian Developer   http://www.debian.org/         stuart@debian.org
GPG fingerprint    90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7


Reply to: