[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backports upgrade policy (ButAutomaticUpdates:yes)

martin f krafft <madduck@debian.org> writes:
> also sprach Russ Allbery <rra@debian.org> [2013.01.24.1856 +1300]:

>> I always understood that I had a responsibility as a backporter to
>> release security fixes as necessary, and if I wasn't going to do that,
>> I shouldn't upload the backport in the first place.  I handle backport
>> security fixes exactly the way that I handle stable security fixes.

> So if a software is at 1.0 in stable and you backported 1.1~bpo60.1 from
> testing, and then a security flaw is found in all 1.x releases which was
> fixed in 2.0, and meanwhile 2.2 is in testing, will you backport the
> security fix to 1.1 and release 1.1~bpo60.2?

Ah, yes, I should have said that I handle it the way that I handle testing
security fixes, sorry.

I view backports as a miniature version of the testing distribution for
that particular package.  When you install a package from backports, you
effectively should get the testing version of just that one package,
without having to upgrade the rest of your system.

It sounds like you instead want backports to be a repository of specific
useful versions of packages that are newer than the last stable.  The
problem with that approach is that it's much harder to maintain in a
secure fashion than tracking testing for the package.  (In fact, it's a
potentially unbounded problem; every new feature release that was uploaded
to backports could potentially need security fixes!)

> I feel that more software goes through the backports archive because of
> new features and updates that wouldn't pass our stable release policy,
> than security fixes to previously backported software.

True.  But then that software does indeed have security bugs.

> And yet, setting "ButAutomaticUpdates: yes" pretends that it's the other
> way around.

I think that's too strong.  It says that, overall, ensuring people get
software with security fixes is more important than ensuring that they get
stable software.  Some of the new packages are security-related, and some
aren't, and there's no way to tell the difference.

Also, I'll mention that back when backports wasn't configured for
automatic updates, that was *the* most frequent request and point of user
confusion on the backports list.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: