As micah suggests I will offer a "firm commitment to actually making the security updated packages when the hole comes out, and even drafting the DSA and delivering it to the security team on a silver platter) and if it becomes untenable I will support the removal" Below is the last email from upstream confirming support. Best wishes, ----- Forwarded message from Ryan Boren <ryan@boren.nu> ----- From: Ryan Boren <ryan@boren.nu> To: Kai Hendry <hendry@iki.fi> Subject: Re: Etch Date: Mon, 5 Mar 2007 13:52:27 -0800 On 3/5/07, Kai Hendry <hendry@iki.fi> wrote: >On 2007-03-05T09:46-0800 Ryan Boren wrote: >> On 3/5/07, Kai Hendry <hendry@iki.fi> wrote: >> >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413269 >> >If you say you can confirm support 2.0.x Wordpress like you agreed to >> >before, I can take it from there. >> We are committed to supporting 2.0.x until 2010. >I was chatting with one of the guys in debian-security and he suggests >to seal the deal, that I convince upstream (that's you) *only* to do >security fixes on the 2.0.x branch. Think we can do that? Beyond security problems, we typically only fix very high profile bugs such as the feedburner issue and the bugs leading up to it. We also try to preserve forward compatibility with new releases of php, which can be a pain in the ass. During normal circumstances, however, 2.0 is strictly security fixes. We'd had a number of those lately, unfortunately, but that is due in part to the fact that WordPress recently has been receiving a huge amount of security audit attention. We're nearing the point where our security has been picked over by everyone's fine tooth combs. After the next release, I think the security updates should slow down. >Here the log of my discussion with micah: > > > >19:24 < Maulkin> hendry: I don't see why it shoudn't be supported. 2.0.x >gets security updates only - the work required by the security team is >almost none. >19:25 -!- luk [~luk@d5152B0D4.access.telenet.be] has quit [Ping timeout: >480 seconds] >19:34 -!- SirMoo [moo@hawking.cowsay.de] has quit [Ping timeout: 480 >seconds] >19:36 -!- luk [~luk@d5152B0D4.access.telenet.be] has joined #debian-security >19:36 -!- Netsplit charon.oftc.net <-> unununium.oftc.net quits: madduck, >Falco, zobel >19:38 -!- Netsplit over, joins: zobel, madduck, Falco >19:57 < hendry> Maulkin: exactly. Was there some debian security conference >about this I wasn't invited to? >19:57 < hendry> the arguments by vorlon and jmm_ are pitiful >19:59 -!- Frolic [~ederm@tor-irc.dnsbl.oftc.net] has quit [Quit: Saindo] >20:30 < CIA-1> alec-guest * r5512 /data/CVE/list: tcpdump fixed >20:47 < micah> hendry: yeah they met in vancouver ;) >20:48 < micah> hendry: the only thing that makes me concerned about >supporting the security in drupal for a couple years is that most of the >2.0.x upgrades that fix security issues also fix other issues at the same >time, so you would have to isolate the security fixes from those for stable >updates >20:50 < hendry> micah: that's what upstream is keen to do >20:50 < hendry> no new feature, just security >20:51 < hendry> in Wordpress btw, not drupal >20:51 < micah> hendry: i've tracked 2.0.6-2.0.9 and 2.1-2.1.2 and each one >of those releases has been done for security reasons and they all had other >things crammed in them besides just security fixes >20:51 < micah> err, sorry I was talking drupal with someone else in another >channel ;) >20:52 < micah> s/drupal/wordpress >20:53 < hendry> I think that's a little overblown >20:53 < hendry> but i can't recall the exact 2.0.8-2.0.9 diff >20:55 < micah> I dont think its overblown, if you look at the changelog of >each of thsoe you will see >20:55 < micah> 2.0.6 -> 2.0.7 fixed security issues and feedburner issues >20:56 < micah> gah, they dont distribute a changelog so its not easy to >gather that quickly :) >20:56 * hendry sighs >20:56 < hendry> these guys are really trying hard to please Debian >20:57 < hendry> If I ask them to only support security fixes and not >any-other-type-fixes >20:57 < micah> i'm not against you here, I actually think tht it shouldn't >be kicked out >20:57 < micah> I'm just saying... >20:58 < hendry> micah: sure >20:58 < micah> that if they include other fixes than security ones, that >means you (or the security team if you slack) has to carve out the security >specific things >20:58 < hendry> i don't want to see that scenario either >20:58 < hendry> branching their stable branch would be madness >20:59 < hendry> anyway, I am just feeling the heat here. >20:59 < hendry> how should I resolve this with vorlon and jmm_ ? >20:59 < hendry> micah: have you read their arguments on the bug? >20:59 < micah> i dont know really >21:00 < hendry> if it is a democracy than my side would win, because a lot >more people support inclusion >21:00 < hendry> though I don't think it works like that here >21:00 < hendry> ;) >21:01 < micah> i think convincing them that it will have security support, >because you are making a firm committment to making that happen (ie. >actually making the security updated packages when the hole comes out, and >even drafting the DSA and delivering it to the security team on a silver >platter) and if it becomes untenable you'd support the removal >21:01 < hendry> that sounds fine >21:02 < hendry> i never really expected debian-security to do my housework >anyway ;) >21:02 < micah> I dont think a democracy is based on what people want, i >mean the world would be in a hedonistic, drunken bacchinalia if democracy >were ruled by what people really wanted >21:02 < hendry> micah: then you belittle your common man :) >21:02 < micah> well I'm not making any deals for jmm/vorlon, I'm just >giving you suggestions >21:02 < micah> or I am exposing my desires >21:03 < hendry> i had to look up bacchanalia >21:03 < micah> i think the best thing would be to respond to their concerns >they raised in the bug report and reassure them that those concerns will >not spill over onto their plate >21:04 < hendry> bacchanalia sounds kinda good
Attachment:
signature.asc
Description: Digital signature