[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dreamhost dumps Debian

Pau Garcia i Quiles <pgquiles@elpauer.org> writes:
> On Tue, Aug 20, 2013 at 8:25 PM, Russ Allbery <rra@debian.org> wrote:

>> My experience is that I can just barely manage to convince upstreams to
>> look over my backports of security patches to packages in oldstable

> What makes you think Ubuntu, Red Hat, etc ask upstream to look at their
> security patches for old versions or even approve them? When I backport
> something, I send it to upstream as a courtesy, in case they want to
> release a patch version, not because I expect them to give me the OK

Well, I suppose they might not, but I would find that even more
disturbing.  It's very easy to not actually fix the problem or to add new
security holes in the process of fixing another problem, and the few times
when I've had to fix security holes without any upstream review, it's made
me very nervous.  I'd really like security fixes to be vetted by people
who are experts in that code base.

Now, if the distribution packagers are experts, that's great; at that
point, I consider them as something akin to part of upstream.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: