Re: Backports upgrade policy (ButAutomaticUpdates:yes)
martin f krafft <madduck@debian.org> writes:
> While this might seem like a good idea at first — like when
> a security fix reaches the backports archive
Indeed.
> I am sure we all agree that the
> deny-all-but-what-is-explicitly-allowed policy is the better one. So
> why did we make the switch?
Because of security fixes. :)
The basic problem is that we have no way of knowing whether an updated
backport is a security fix or not, and not installing security fixes is
rather problematic.
> The problem in the past was that security fixes to the package in stable
> may well never reach users with backports installed. This problem is
> actually not addressed, as security fixes might not appear in testing
> anytime soon, nor is it guaranteed that the backport will be upgraded.
I always understood that I had a responsibility as a backporter to release
security fixes as necessary, and if I wasn't going to do that, I shouldn't
upload the backport in the first place. I handle backport security fixes
exactly the way that I handle stable security fixes.
There is not, so far as I know, a security team like there is for stable,
and that team does a ton of great work for stable. Manpower would be
required to duplicate that work. But while we aren't providing stable
levels of security support for backports, I don't think we're doing as
poorly as all that.
> In the long run, maybe we need a stable-backports-security repository,
> which can be used to ensure that backport users don't miss out on
> security fixes without having to accept major changes. Ping me when the
> security team has 30 active members working 5 days a week on Debian and
> I'll look into writing the dak patches. ;)
This would immediately introduce another problem: what version of the
backport are you goint to patch for the security vulnerability? Certainly
not every version that's ever been uploaded and that someone might
possibly be stuck at. :)
Also, backports, as with testing, frequently get security fixes in the
form of upstream releases that include other changes.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: