Hello Michael, On Fri, Feb 16 2018, Michael Meskes wrote: >> We cannot feasibly provide security updates when there is more than >> one version of the library in the archive. We do not, and probably >> never will have, the required manpower. >> >> This applies to the nixos/guix solutions too -- we cannot expect our >> security team to go around backporting patches to all the different >> versions we're offering to users. > > Yeah, I was expecting this point and I don't agree. Well, I do agree > on it's being too much of a burden for us to backport all fixes to > each version, but I do not agree on that being what we need to do. > > If we were to package applications as containers (not necessarily > docker-style!) we could and should have different rules for > those. Just see what people will do otherwise, use a Linux > distribution and install manually and then, maybe, update when a fixed > version of the application comes out. IMO we should do exactly the > same and make sure the application containers get update to fixed > version as and when possible. For users this means that get probably > better security and easier deployment of whatever application they > need to run. Obviously this needs to be clearly documented. Yes, I think that Debian should eventually be providing a repository of flatpaks (or similar) alongside our apt repos. One of smcv's talk at DebConf17 explains the advantages of doing this: https://debconf17.debconf.org/talks/59/ -- Sean Whitton
Attachment:
signature.asc
Description: PGP signature