On 03/11/2013 10:49 AM, Didier 'OdyX' Raboud wrote:
a) we fail at releasing Moodle updates to unstable in a timely
manner (and I
have my share of the fault here);
b) we consequently fail at releasing Moodle security updates to
wheezy in a
timely manner (this unblock is opened for almost two months);
c) Moodle 2.2 is already not supported anymore by Moodle HQ for
anything (not
even security), according to [0];
Furthermore on that point, as far as I can see, there is noone
taking
responsibility to handle Moodle 2.2 security on the long term
(Moodle in
Wheezy will need to be security-handled for roughly three years,
yet it is
_already_ not supported).
d) there is (in my opinion) not enough people behind the maintenance
of
Moodle-in-Debian: Thomas is a good DM, but he's mostly alone,
and I'm not
willing to get more involved.
So as much as I find that unfortunate, I think that the best
solution for all
of Moodle, Moodle-in-Debian and Debian, is to not ship Moodle 2.2 in
Wheezy.
Thomasz, as you're the actual de-facto maintainer, please voice your
opinion
as I have voiced mine: the decision is in the hands of the Release
Team I
guess.
I have exactly the same concerns. Security fixes has been released
for Moodle 2.2 today. I could cherry pick the patches and we could
close this bug - not a big deal. They will probably be another
security update for Moodle this year but that's it.
Realistically speaking there is no way I can maintain security fixes
for non-supported (by upstream) software this size.
I have put Moodle 2.2 into Wheezy as that's the only possible upgrade
path for Moodle (1.9 -> 2.2 -> 2.3+).
By not shipping 2.2 in wheezy, we will break the upgrades for any
current users. I don't see any other option though. There are talks
in
Moodle about making LTS version (e.g. 2.6LTS) - and that's probably
the only reasonable way to maintain a high quality package like this
in Debian.