Re: Dreamhost dumps Debian
Steve Langasek <firstname.lastname@example.org> schrieb:
> I understand the
> motivation (like everyone else they have more to do than they have time to
> do it in), but I think the outcome, whereby the security team denies use of
> the security update channel for non-"critical" security bugs and redirects
> maintainers to stable-updates instead, is unfortunate.
We don't "deny" anything here, the current implementation of the security
release process simply doesn't allow more fine-grained control on who/how
security updates can be released.
There were some internal discussions in the past and that's certainly an
agenda topic on a future security team sprint.
> As far as I'm
> concerned, a security fix that isn't worth being pushed to
> security.debian.org is also not worth me spending time on as a maintainer to
> push to stable-updates.
Pushing minor issues through point updates is the same process other enterprise
distros use as well; SLES and RHEL also pile up minor issues for point updates
instead of sending out a security update.
In the past such minor issues were simply left unfixed in stable. Since a few
years we've established a process to systematically keep the maintainers
informed (Jonathan Wiltshire runs a notification bot for that).