Re: fixing in oldstable before unstable (was Re: Wheezy update of tre?)
Am 20.10.2016 um 18:31 schrieb Markus Koschany:
> On 20.10.2016 17:15, Holger Levsen wrote:
>> On Thu, Oct 20, 2016 at 04:52:07PM +0200, Markus Koschany wrote:
>>> Fixing bugs in unstable or any other suite in Debian is not a part of
>>> Wheezy LTS.
>> Of course it's more work and of course it might be difficult.
> It's not just about "more work", it is mainly about how you define the
> scope of a long term support release. We have paid and unpaid
> contributors. You can't force volunteers to work on something. By
> declaring it mandatory to fix bugs in unstable, you increase their
> workload and make it less likely that someone will fix a bug in Wheezy LTS.
> As for paid contributors: They are paid to keep Wheezy secure and to
> support users of this distribution. Of course you can extend the scope
> of Wheezy LTS to unstable but then you need to ask all involved parties,
> especially the sponsors, if they agree with this change. You get paid
> for repairing my car if you repair my other car too, just doesn't work.
It's true that sponsors donate their money for getting security
vulnerabilites fixed in *Wheezy* (or whatever oldstable is at the
moment), but in my eyes a bugreport about these very security
vulnerabilites could be seen as part of the LTS work. I don't even think
that we explicitly have to ask for permission here.
Isn't it more about the workflow we agree on in Debian regarding
security vulnerabilites? So far the agreed practice (and prefered by the
Security Team) is to first report the bugs against the version in
unstable (if this version is vulnerable as well). And as this is the
common workflow in our project, triaging security vulnerabilites as part
of the paid LTS work should include reporting these bugs, no?
>> But if it's not been done, the fix might get lost and your work was void.
> Why would the work get lost? The patch for Wheezy won't vanish and a fix
> for unstable is often a totally different issue.
The upload to wheezy-security will not get lost, but the security
vulnerability might not get tracked further. If we write a bugreport,
it's ensured that the maintainer(s) are aware of the vulnerability.
So if the Security Team doesn't disagree, I'm much in favour of doing
the bug reporting against unstable as part of the LTS Team work. If we
can use their template for doing so, even better.