Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)
On Thu, Oct 20, 2016 at 14:26:41 +0000, Holger Levsen wrote:
> On Thu, Oct 20, 2016 at 03:59:53PM +0200, Santiago Vila wrote:
> > But I'm a little bit surprised that the whole story begins in wheezy LTS.
> > Should this not start in unstable with a bug report?
> this often happens when there was a CVE with or without a bug filed and
> noone uploaded a fix. then, at some point, the LTS team comes around and
> is paid to fix this in LTS…
> I also think it would be better to always (well, unless the package is
> gone) make sure this is fixed in unstable first and then in LTS but I
> dont think this is an individual question but rather think this should
> be addressed by implementing it as mandatory part of the LTS workflow.
Yes please. The amount of QA you can do pre-release on wheezy updates
is presumably fairly limited. Having patches tested in unstable in the
(presumably not that rare) cases where the backport isn't the most
difficult/risky part of fixing the bug seems like it would benefit
everyone, except for maybe delaying your payments a bit. (My pet peeve
here are the recent libx* CVEs, which aren't critical, and where the
patches are tricky enough that regressions aren't exactly unlikely.
Maybe that's rare. I don't think it is.)