Hey, On the one side I'm totally with Guilhem, that getting rid of the old roundcube in old-stable would be the best thing. Upstream itself do not support this version for a longer time. I'm not sure if any CVEs are filed for such old versions anymore from upstream. On the other side: The upgrade from 0.7->0.9->1.0 was never tested on a bit audience, because roundcube was not released with stable. So we have a very small testset, who tested this upgrade. So pushing this upgrade to lts is exactly the opposite of providing a stable upgrade. Regards, sandro -- Am Dienstag, 3. Mai 2016, 18:52:32 CEST schrieb Markus Koschany: > Am 03.05.2016 um 18:37 schrieb Moritz Muehlenhoff: > > On Tue, May 03, 2016 at 06:28:03PM +0200, Markus Koschany wrote: > >> The second best solution would be to backport either the 1.0.x branch or > >> your jessie-backport packages to Wheezy. Since you actively maintain > >> them, what do you think, how complex is the task to backport the > >> packages from jessie-backports to Wheezy? > > > > What's the point in updating a server package like roundcube in LTS > > to the version from LTS+1? I creates significant churn on the sysadmin's > > side, which is better spent on upgrading the entire VM/machine to LTS+1. > > > > Clearly not all packages are suitable for five years maintenance, so it's > > better to not paper over the systems, but rather make this explicit. > > You should also take into consideration that Roundcube is a web > application and depending on the package in question and options > available, a backport is a reasonable solution, for the same reasons we > have backported other packages before. Also the whole point of LTS is > that you don't have to upgrade the entire system, especially if you run > multiple different PHP applications on the same server. The order of > options is still valid. > > Regards, > > Markus
Attachment:
signature.asc
Description: This is a digitally signed message part.