[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dreamhost dumps Debian

On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery <rra@debian.org> wrote:
>> The same people that maintain the packages in sid and stable: the
>> maintainer(s) for each package. [...]

> That is not the case.  At the moment most of this is done by the
> Debian security team.  Of course some package maintainers do help.

I consider it part of my responsibility as a package maintainer to provide
security support for my packages for as long as Debian does.  If I felt
like I couldn't do that, I would orphan the package or look at having it
removed from Debian.  I don't think there's any way that one team can
scale to providing security support for the entire archive; it's hard for
them to even track the existence of issues for the entire archive.

That's exactly how I see it, glad to see I'm not alone :-)

My experience is that I can just barely manage to
convince upstreams to look over my backports of security patches to
packages in oldstable

What makes you think Ubuntu, Red Hat, etc ask upstream to look at their security patches for old versions or even approve them? When I backport something, I send it to upstream as a courtesy, in case they want to release a patch version, not because I expect them to give me the OK

Pau Garcia i Quiles
(Due to my workload, I may need 10 days to answer)

Reply to: