On Wed, 24 May 2017 06:09:50 +0200 Alexander Wirt <formorer@formorer.de> wrote: > On Tue, 23 May 2017, Scott Kitterman wrote: > > > > > > > On May 23, 2017 5:28:04 PM EDT, Alexander Wirt > > <formorer@formorer.de> wrote: > > >On Tue, 23 May 2017, Raphael Hertzog wrote: > > > > > >> (please cc me on answers) > > >> > > >> On Tue, 23 May 2017, Debian FTP Masters wrote: > > >> > please take the version from testing, not a version that never > > >> > was > > >in the archive > > >> > > >> I have been maintaining the 1.8.x LTS version of Django in > > >jessie-backports since > > >> December 2015. > > >> > > >> Except the very first, none of the 1.8.x versions that I > > >> uploaded in jessie-backports have been in testing. > > >> > > >> Please let me continue providing this service to our users. > > >> > > >> Why are you suddenly acting on this upload and not the formers? > > >You didn't followed the often stated policy. Full stop. We just > > >never noticed. > > > > > >We stated that several times and you just decided that policy does > > >not count > > >for you. I think that is pretty unfair. > > > > There are security fixes in this upload. What's the way to get > > those fixed? Backporting 1.10 isn't an option because it is > > incompatible with many other packages. > > > > Would cherry-picked security fixes be okay? > The policy is pretty clear. Backporting 1.10 and backport the other > packages too. Then, I'm sorry, but the policy is broken and will directly harm users of jessie, stretch and jessie-backports. 1.10 cannot be backported successfully to packages which depend on 1.7 - this has already been demonstrated with https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847277 Packages using 1.7 in jessie *must* go via the 1.8LTS to safely upgrade to 1.9 or later. Once on 1.8LTS, getting to 1.9, 1.10 or 1.11LTS is easy. If the package gets to 1.9, it is also unlikely that it will be upgradeable to the next LTS after 1.11 (currently listed as 2.2LTS) without also going via the 1.11LTS. I know there are various problems with how we got into this situation but this is how it is right now. 0: We cannot get 1.8LTS into Jessie - we would have to include all the current reverse dependencies of django currently in jessie-backports to do so. 1: We cannot let users lose data by not providing an upgrade path via 1.8LTS. 2: If someone seriously suggests removing all of these packages from jessie-backports it also means removing them from testing and unstable and that is utterly unacceptable. 3: Not allowing the update of a backport including security fixes is unacceptable. Current backports policy is too rigid. We are in this situation and the 1.8 backport - whatever the history - is *mandatory* for the continued operation of these packages. > It is maybe a problem and maybe we should get the policy changed - I > personally don't think too. I strongly support a change to backports policy on this. We *must* fix this properly. Removal of any of these packages is not an option. Refusing to allow a security fix is not an option. Backporting what is currently in testing is not an option. Policy *must* change. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
Attachment:
pgp0dQ38FAn6Z.pgp
Description: OpenPGP digital signature