[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Dreamhost dumps Debian

Steve Langasek <vorlon@debian.org> schrieb:
> I understand the
> motivation (like everyone else they have more to do than they have time to
> do it in), but I think the outcome, whereby the security team denies use of
> the security update channel for non-"critical" security bugs and redirects
> maintainers to stable-updates instead, is unfortunate.  

We don't "deny" anything here, the current implementation of the security
release process simply doesn't allow more fine-grained control on who/how
security updates can be released.

There were some internal discussions in the past and that's certainly an
agenda topic on a future security team sprint.

> As far as I'm
> concerned, a security fix that isn't worth being pushed to
> security.debian.org is also not worth me spending time on as a maintainer to
> push to stable-updates.

Pushing minor issues through point updates is the same process other enterprise
distros use as well; SLES and RHEL also pile up minor issues for point updates
instead of sending out a security update.

In the past such minor issues were simply left unfixed in stable. Since a few
years we've established a process to systematically keep the maintainers 
informed (Jonathan Wiltshire runs a notification bot for that).


Reply to: