Re: RFC: allow new upstream into stable when it's the only way to fix security issues.

["W. Borgert" <debacle@debian.org>]

On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
> (1) keep vulnerable packages in stable,
> (2) remove affected packages from distribution,
> (3) allow new upstream into stable.
...
> What do you think on this?

I'ld "vote" for (2), maybe with the goal of creating pressure
towards upstream to take security more serious.  Don't forget:
The new versions will bring trouble to our poor users, as it's
not API nor ABI compatible, has different bugs, etc.  Can't
Debian + Ubuntu + ... create enough demand for useful security
patches?  Remember the KDE/Qt licensing discussion...

(3) is second best.  At least typical server installations are
not affected (we use w3m, don't we?) and desktop users are used
to frustration anyway.  (1) is not an option.

Cheers,
-- 
W. Borgert <debacle@debian.org>, http://people.debian.org/~debacle/