[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: allow new upstream into stable when it's the only way to fix security issues.


Nikita V. Youshchenko [2005-07-31 23:10 +0400]:
> So options seem to be:
> (1) keep vulnerable packages in stable,
> (2) remove affected packages from distribution,
> (3) allow new upstream into stable.

We recently had the same problem in Ubuntu. Adam Conrad and me both
spend literally weeks with backporting and fixing patches, and in the
end we came up with a semi-working Firefox which was pretty buggy and
broke almost all extensions. So we just gave up and uploaded the new
upstream versions into stable, which made relatively little trouble
compared to the mess we created with backporting.

It was not an easy decision since usually we follow the same strict
"minimal patches" backporting policy, but we finally had to bow to
reality; the Mozilla code is so ugly and intertwined that backporting
patches is a battle you can't win without employing a couple of
upstream developers (which just say "use the new upstream version,

I think in the end we have to do the same for Debian.


Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: