On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote: > On Tue, Aug 20, 2013 at 6:25 PM, Ian Jackson < > ijackson@chiark.greenend.org.uk> wrote: > > > The bigger problem for a Debian LTS is this: 1. who is going to do > > > > security support for it ? > > > The same people that maintain the packages in sid and stable: the > > > maintainer(s) for each package. [...] > > That is not the case. At the moment most of this is done by the > > Debian security team. Of course some package maintainers do help. > IMHO that should be turned around: package maintainers should be the ones > responsible for updates and the Security Team should help with that (e. g. > by providing tips and/or reviewing the fixes) That's not the understanding that was in place when I joined Debian. Certainly there seems to be a move by the security team to push more and more responsibility onto the package maintainers lately; I understand the motivation (like everyone else they have more to do than they have time to do it in), but I think the outcome, whereby the security team denies use of the security update channel for non-"critical" security bugs and redirects maintainers to stable-updates instead, is unfortunate. As far as I'm concerned, a security fix that isn't worth being pushed to security.debian.org is also not worth me spending time on as a maintainer to push to stable-updates. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature