On Wed, 2016-11-09 at 22:55 +0200, Adrian Bunk wrote: > Is anyone tracking what packages are installed from backports on > Debian machines, and the CVEs in them? backports is unsupported by the security team, so DSA & backports users rely on service maintainers and backporters to do the right thing. > Using backports without doing that would be irresponsible. Agreed, but that is the best we have right now. > Package removals from unstable are also a potential problem, example: Agreed. > The maintainer wanted to remove this package from *unstable*. Thanks for pointing this out. > FreeRADIUS is popular enough that people noticed before an RM: bug was > filed, and new maintainers were found immediately. Looks like that wasn't enough since it didn't reach unstable yet. > Other packages are not that popular. Even the unpopular packages have users or potential users, we need to develop better chains of communication with those users & communities. > If any packages needed on these Debian machines have been removed from > unstable, they are not on your list. Correct: https://bugs.debian.org/838363 > This is the reason why a ITP/RM revolving door is creating huge > headaches for users. Agreed. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part