Bug#1057755: Qt WebEngine Security Support In Stable
- To: Adrian Bunk <bunk@debian.org>
- Cc: Soren Stoutner <soren@stoutner.com>, Mike Gabriel <sunweaver@debian.org>, 1057755@bugs.debian.org, Patrick Franz <deltaone@debian.org>, Debian UBports Team <team+ubports@tracker.debian.org>, Debian Release Team <debian-release@lists.debian.org>, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>, Dmitry Shachnev <mitya57@debian.org>, Debian Security Team <security@debian.org>, Pirate Praveen <praveen@debian.org>, Nilesh Patra <nilesh@debian.org>, Aurélien COUDERC <coucouf@debian.org>, Fritz Reichwald <reichwald@b1-systems.de>, Thomas Goirand <thomas@goirand.fr>
- Subject: Bug#1057755: Qt WebEngine Security Support In Stable
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Fri, 15 Dec 2023 20:18:10 +0100
- Message-id: <[🔎] 20231215191810.GA4395@inutil.org>
- Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 1057755@bugs.debian.org
- In-reply-to: <[🔎] ZXwQqCEFtVwx9VxB@localhost>
- References: <[🔎] 170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com> <[🔎] 4190101.1IzOArtZ34@treadstone-71> <[🔎] 1889894.itTzSnWKVK@soren-desktop> <[🔎] 20231214075802.Horde.bt03VsbWf7zcH_G4skR3c_V@mail.das-netzwerkteam.de> <[🔎] 4f1f9ca8-61a4-43f6-b3bc-38752dbe9161@stoutner.com> <[🔎] ZXuNdExxINc2SIqT@localhost> <[🔎] c3fff345-f371-4a4a-83a6-fa9fc8ecdb10@stoutner.com> <[🔎] ZXwQqCEFtVwx9VxB@localhost> <[🔎] 170199911428.713712.13945181272059018033.reportbug@soren-desktop.stoutner.com>
On Fri, Dec 15, 2023 at 10:39:04AM +0200, Adrian Bunk wrote:
> > That is a good point. However, I consider full coverage of security support
> > for stable to be an improvement over the current situation. Explicitly
> > stating that security support is not shipped for oldstable does not do any
> > more harm to users than what we currently do by explicitly stating that
> > security support is not shipped for either stable or oldstable.
>
> >From a policy point of view, the duration of security support is a
> Debian-wide policy and not a per-package policy.
>
> >From a user point of view, an organization/company running Debian on
> their user/employee desktops would not schedule upgrades to a new
> stable on release day - 1 year of migration time is really necessary.
We already set some tighter deadlines, Chromium security support will
also end six months after the release of the next stable release.
But I agree with the general sentiment that this too much work to directly
commit to full security support. A first step would be to initially commit
to rebase to the latest LTS release in every point release. That would already
be an improvement.
Cheers,
Moritz
Reply to: