Re: Why back-porting patches to stable instead of releasing a new package.

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Why back-porting patches to stable instead of releasing a new package.
From: Matt Zimmerman <mdz@debian.org>
Date: Wed, 23 Jul 2003 09:10:01 -0400
Message-id: <[🔎] 20030723131001.GH15582@alcor.net>
Mail-followup-to: Debian Developers <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20030723081555.GA32048@debian.org>
References: <20030715092532.GA8393@achos.com> <20030715125624.GL11400@alcor.net> <20030717151620.GA23268@debian.org> <20030721174232.GL13924@alcor.net> <20030722122252.GC24699@debian.org> <20030722223606.GB15133@alcor.net> <[🔎] 20030723081555.GA32048@debian.org>

On Wed, Jul 23, 2003 at 03:15:55AM -0500, Luca - De Whiskey's - De Vitis wrote:

> On Tue, Jul 22, 2003 at 06:36:06PM -0400, Matt Zimmerman wrote:
> > > I've some questions for you, first.  Would you mind, please, to
> > > explain to me why back-porting a patch for a buggy package in stable
> > > would be better than releasing a new package for the
> > > stable distribution?
> > 
> > Do you mind taking this discussion to a public mailing list so that I don't
> > have to explain over and over?
> 
> The kind of patch we were talking about was for a security fix. I was asking
> this question to Matt because the new package i'd like to release for stable
> also fixes many other bugs.
> 
> I'm sorry if some of you might think this question to be dumb or stupid, but
> it's not obvious to me.
> 
> Please, please, please: no reference/flame about releasing new stable
> distribution more often. That would not be the point.
> 
> ciao,
> P.S.: Matt, if you felt this question to be common, it might be worthy to add
> some/your explanations to the developers-reference too.

This is already in the security team FAQ, and in the developers reference in
section "5.8.5.3 Preparing packages to address security issues", but
apparently it requires further explanation, because this issue comes up from
time to time.  I will expand the developer's reference more when I get a
chance.  The main points are:

- Security advisories and the associated packages should fix security
  vulnerabilities and nothing else.  It is irresponsible to "sneak in"
  additional changes or try to use a security vulnerability as an excuse to
  bypass the normal process for updating a package in stable to fix other
  bugs.

- If your package is so buggy in stable that it is useless, you should have
  made an upload to proposed-updates a long time ago.  Don't wait for a
  security advisory and try to use that to get random bug fixes in.  They
  will not be accepted as part of a security update.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Luca - De Whiskey's - De Vitis <luca@debian.org>

References:
- Why back-porting patches to stable instead of releasing a new package.
  - From: Luca - De Whiskey's - De Vitis <luca@debian.org>

Prev by Date: Re: Why back-porting patches to stable instead of releasing a new package.
Next by Date: Re: coreutils with acl support
Previous by thread: Re: Why back-porting patches to stable instead of releasing a new package.
Next by thread: Re: Why back-porting patches to stable instead of releasing a new package.
Index(es):
- Date
- Thread