Re: Backports upgrade policy (ButAutomaticUpdates:yes)

To: debian developers <debian-devel@lists.debian.org>
Subject: Re: Backports upgrade policy (ButAutomaticUpdates:yes)
From: Russ Allbery <rra@debian.org>
Date: Wed, 23 Jan 2013 21:56:44 -0800
Message-id: <[🔎] 87wqv386oz.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20130124053915.GA18653@fishbowl.rw.madduck.net> (martin f. krafft's message of "Thu, 24 Jan 2013 18:39:15 +1300")
References: <[🔎] 20130124053915.GA18653@fishbowl.rw.madduck.net>

martin f krafft <madduck@debian.org> writes:

> While this might seem like a good idea at first — like when
> a security fix reaches the backports archive

Indeed.

> I am sure we all agree that the
> deny-all-but-what-is-explicitly-allowed policy is the better one. So
> why did we make the switch?

Because of security fixes.  :)

The basic problem is that we have no way of knowing whether an updated
backport is a security fix or not, and not installing security fixes is
rather problematic.

> The problem in the past was that security fixes to the package in stable
> may well never reach users with backports installed. This problem is
> actually not addressed, as security fixes might not appear in testing
> anytime soon, nor is it guaranteed that the backport will be upgraded.

I always understood that I had a responsibility as a backporter to release
security fixes as necessary, and if I wasn't going to do that, I shouldn't
upload the backport in the first place.  I handle backport security fixes
exactly the way that I handle stable security fixes.

There is not, so far as I know, a security team like there is for stable,
and that team does a ton of great work for stable.  Manpower would be
required to duplicate that work.  But while we aren't providing stable
levels of security support for backports, I don't think we're doing as
poorly as all that.

> In the long run, maybe we need a stable-backports-security repository,
> which can be used to ensure that backport users don't miss out on
> security fixes without having to accept major changes.  Ping me when the
> security team has 30 active members working 5 days a week on Debian and
> I'll look into writing the dak patches. ;)

This would immediately introduce another problem: what version of the
backport are you goint to patch for the security vulnerability?  Certainly
not every version that's ever been uploaded and that someone might
possibly be stuck at.  :)

Also, backports, as with testing, frequently get security fixes in the
form of upstream releases that include other changes.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Backports upgrade policy (ButAutomaticUpdates:yes)
  - From: martin f krafft <madduck@debian.org>

References:
- Backports upgrade policy (ButAutomaticUpdates:yes)
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: Linux Future
Next by Date: Re: scripting DBus services
Previous by thread: Backports upgrade policy (ButAutomaticUpdates:yes)
Next by thread: Re: Backports upgrade policy (ButAutomaticUpdates:yes)
Index(es):
- Date
- Thread