Re: Longer maintainance for (former) stable releases of Debian (Re: Dreamhost dumps Debian)
Pau Garcia i Quiles <email@example.com> writes:
> IMHO the Security Team should not act as fixers themselves but more as
> proxies, passing information about a security issue to the maintainer of
> the package.
And what happens then if the maintainer doesn't respond?
If we're going to offer meaningful security support, we have to have a
bug-fixer of last resort, and that's the party most stressed by extending
security support. Particularly since that for every year we extend it,
more maintainers will be uninterested in doing so for their own packages.
Alternately, we could be far more aggressive about removing packages from
oldstable, I suppose, but I don't think that's a good idea; that just
leaves our users with exactly the sorts of choices that we're trying to
avoid. I think it's much cleaner and better for our users to offer full
security support and then retire the whole distribution at the same time.
It makes planning considerably easier, among other things.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>