On Sun, Mar 18, 2007 at 08:11:15AM +1100, Craig Sanders wrote: > > well, what did you expect? > > if you're using backports.org, you may as well be using unstable. > That's not quite true. You may as well be using unstable for the packages you are pulling from backports. > in fact, you're better off with unstable because there are more people > using it, so it is better tested. with backports.org, you can be pretty > sure that NOBODY else is using your exact combination of libraries and > other packages....so you may be the ONLY person to ever encounter a > particular bug. > Really? So, he's better off with unstable so that he can potentially be the first user to find it there instead of in backports? So that he can also be potentially bitten by any number of bugs which invariably hit unstable first? > IMO, backports.org is just a second-rate way of running 'unstable' for > people who are scared by the name 'unstable'. > > (and 'testing' is a way of running 'unstable' with a long delay for any > urgent fixes. although at least it also serves the useful purpose of > testing the next release so it's a good thing that some people use it) > If an orphaned package is the subject of a security advisory, who fixes it? In stable, it is the security team. In unstable, there is no obligation for anybody to provide security support. Someone on the security team or the QA team may be nice enough to do a QA upload of the new version of the package (as many upstream developers release security fixes by releasing whole new versions), but nobody is obligated to do that. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature