[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why back-porting patches to stable instead of releasing a new package.

On Wed, Jul 23, 2003 at 03:15:55AM -0500, Luca - De Whiskey's - De Vitis wrote:

> On Tue, Jul 22, 2003 at 06:36:06PM -0400, Matt Zimmerman wrote:
> > > I've some questions for you, first.  Would you mind, please, to
> > > explain to me why back-porting a patch for a buggy package in stable
> > > would be better than releasing a new package for the
> > > stable distribution?
> > 
> > Do you mind taking this discussion to a public mailing list so that I don't
> > have to explain over and over?
> The kind of patch we were talking about was for a security fix. I was asking
> this question to Matt because the new package i'd like to release for stable
> also fixes many other bugs.
> I'm sorry if some of you might think this question to be dumb or stupid, but
> it's not obvious to me.
> Please, please, please: no reference/flame about releasing new stable
> distribution more often. That would not be the point.
> ciao,
> P.S.: Matt, if you felt this question to be common, it might be worthy to add
> some/your explanations to the developers-reference too.

This is already in the security team FAQ, and in the developers reference in
section " Preparing packages to address security issues", but
apparently it requires further explanation, because this issue comes up from
time to time.  I will expand the developer's reference more when I get a
chance.  The main points are:

- Security advisories and the associated packages should fix security
  vulnerabilities and nothing else.  It is irresponsible to "sneak in"
  additional changes or try to use a security vulnerability as an excuse to
  bypass the normal process for updating a package in stable to fix other

- If your package is so buggy in stable that it is useless, you should have
  made an upload to proposed-updates a long time ago.  Don't wait for a
  security advisory and try to use that to get random bug fixes in.  They
  will not be accepted as part of a security update.

 - mdz

Reply to: