On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote: > As it is being currently discussed on debian-security [1], security > team has hard times supporting mozilla family of packages, because of > unfriendly upstream policy - they don't want to isolate security fixes > from a large changesets of new upstream releases. And given the huge > size of the package, isolating security patches at Debian level also > fails. [..] > Maybe in rare cases like this one, when these seems to be no other way > to keep important package set secure, we should allow new upstream > into Debain Stable? What happens if they require new versions of libraries which already exist in stable? I think you need a couple of ways out and to decide between them possibly just leaving well alone and making users aware of the issue (perhaps pointing them at volatile?) if library upgrades are needed as well as the case where new self-contained upstreams could be allowed in. Is volatile not a better general place for such packages though really? Maybe we just need more emphasis on volatile to our users. (i.e. get the installer to prompt about it etc). Simon. -- Granny grasped her broomstick purposefully. "Million-to-one chances," she said, "crop up nine times out of ten."
Attachment:
signature.asc
Description: Digital signature