Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
On 27/08/13 14:32, Pau Garcia i Quiles wrote:
> What do you do with the 1 year of support Debian currently gives to
> oldstable? It's also 1 year you stopped using that version, so no
> technical challenge either.
There does need to be some amount of overlap, because people can't
necessarily upgrade machines (particularly servers) instantaneously on
release day. Even a year of overlap seems rather long, though.
When there are serious bugs in my packages, I backport fixes to stable,
then weigh up the benefit of also backporting to oldstable vs. the time
I expect it to take and the risk of regressions. For things that didn't
merit a DSA (e.g. DoS via a remotely-triggerable NULL dereference in
desktop software), my conclusion has often been "the risk of regressions
is too close to the expected benefit, I'm not going to bother". After
all, if I accidentally introduce a crash bug, that's a "DoS" that
applies to everyone, not just people whose IM contacts were actively
trying to exploit a vulnerability.
Sorting out security vulnerabilities is something I do because I feel
responsible for packages, rather than something I do because it's fun -
doubly so for oldstable, where a diminishing number of people actually
care about the vulnerability.