[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backports policy for security updates (was: Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED)

On Wednesday, May 24, 2017 03:27:27 PM Alexander Wirt wrote:
> On Wed, 24 May 2017, Scott Kitterman wrote:
> > On May 24, 2017 9:09:04 AM EDT, Alexander Wirt <formorer@formorer.de> 
wrote:
> > >On Wed, 24 May 2017, Ben Hutchings wrote:
> > >> On Wed, 2017-05-24 at 22:05 +1000, Stuart Prescott wrote:
> > >> > I routinely backport packages and deploy them locally. I frequently
> > >
> > >wonder 
> > >
> > >> > if I should upload them to make them more widely useful. And
> > >
> > >then...
> > >
> > >> > Perhaps I'm snipping too much here, but is this what you're saying?
> > >> > 
> > >> > > > Now I'm confused.  I thought as a backporter my responsibility
> > >
> > >for
> > >
> > >> > > > oldstable was limited to the one year period after the new
> > >
> > >stable was
> > >
> > >> > > > released?  Are backporters responsible for LTS support too?
> > >> > > 
> > >> > > Of course you are.
> > >> > 
> > >> > wait, because a few people started an unofficial project to extend
> > >
> > >support 
> > >
> > >> > of the stable release, everyone else is now responsible for
> > >
> > >supporting that 
> > >
> > >> > effort in all manner of other places?
> > >> 
> > >> [...]
> > >> 
> > >> > Uploading a 
> > >> > backport has suddenly become a blank cheque for maintenance subject
> > >
> > >to 
> > >
> > >> > future prolongation. Sounds like a world of pain I should avoid.
> > >
> > >Sorry.
> > >
> > >> I agree; this is not a reasonable demand.  I only started working on
> > >> LTS on the basis that I could do it in work hours.  I don't expect
> > >> anyone to do this comparatively boring stuff as a volunteer.
> > >> 
> > >> The backports suites and their users would benefit from some
> > >> clarification about which packages remain supported and how long this
> > >> is likely to last - defaulting to the end of regular support for the
> > >> corresponding stable suite.
> > >
> > >We will probably close jessie-bpo with the end of the main support. It
> > >seems
> > >that is was a nice idea, but it unsupportable.
> > >
> > >Alex
> > 
> > If so, we're back to upstream Django 1.8 support being roughly aligned to
> > when jessie-backports closes, so can we please continue updating it?
> > 
> > If you're to angry with Raphael to let him do it, I volunteer.
> 
> such a kind of exception isn't decided yet.

I understand you haven't decided yet.  I would ask that the backports team 
reach a decision on this quickly.  I have ongoing work with a client that I 
had planned on basing on these Django 1.8 packages.  If we have to change 
direction and pip install everything, we can, but I need to change direction 
sooner rather than later.

Personally, I feel terribly caught in the middle here.  I made representations 
to a client on why Debian was suitable for an effort based on the ongoing, 
regardless of if it in theory should have been or not, package maintenance of 
Django 1.8 in Jessie and the similar plans for Django 1.11 in Stretch.

If that's not going to work out, I need to go eat my words sooner rather than 
later.  I also have 8 packages I want to get removed from Stretch before 
release because Debian packages are not a suitable vehicle to support the 
project I packaged them for (they are fine packages, but not ones I care to 
maintain in Stable if I'm not using them).

Whatever it is, please make a decision quickly as I need some time before the 
release to get things adjusted.

Scott K
Reply to: