on updating debian-security-support in stable and oldstable (due to DSA-4562-1)

To: team@security.debian.org
Cc: debian-release@lists.debian.org
Subject: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
From: Holger Levsen <holger@layer-acht.org>
Date: Sun, 24 Nov 2019 18:42:49 +0000
Message-id: <[🔎] 20191124184249.qdk2ju2y2pg4dkw4@layer-acht.org>

hi,

DSA-4562-1 at the very end of its very long text had the following note, which 
I'd like to make a little bit more known...:

"For the oldstable distribution (stretch), support for chromium has been
discontinued.  Please upgrade to the stable release (buster) to continue
receiving chromium updates or switch to firefox, which continues to be
supported in the oldstable release."

This info was then included in the 2019.11.16 upload of debian-security-support
to unstable with this change:

  * Add chromium to security-support-ended.deb9.

Currently we have:

 debian-security-support | 2019.02.02~deb8u1  | jessie-security          | source, all
 debian-security-support | 2019.02.02~deb9u1  | stretch                  | source, all
 debian-security-support | 2019.06.13         | buster                   | source, all
 debian-security-support | 2019.11.16         | bullseye                 | source, all
 debian-security-support | 2019.11.16         | sid                      | source, all

Out of this case I'd like to establish some default procedure on how to
update debian-security-support in all suites at any time, so that we can
just follow these each and every time.

(The changes itself are trivial from a risk point of view: they are just 
changes to some text files.)

So some questions:

- can debian-security-support updates be made via (buster|stretch)-updates?
  - just now, or always?
- or could these updates go in via (buster|stretch)-security instead?
  - just now, or always?
  - and then, shall there be DSAs released for these uploads?
- or should debian-security-support follow the normal point release schedule,
  which AIUI currently has the unfortunate drawback that no stretch point 
  release is planned anymore (??), which makes the informing about DSA-4562-1
  / no chromium   support in stretch rather hard.

I'd be glad to turn this into a bug against release.debian.org if this
is deemed useful. I just started this thinking about releasing via DSA
and now I think I would prefer always going via (buster|stretch)-updates, 
just like tzdata.


Last: I'll be glad to do the uploads (and write DSAs) as required.


-- 
cheers,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#941907: marked as done (transition: ocaml)
Next by Date: Bug#944396: transition: exiv2
Previous by thread: Bug#941907: marked as done (transition: ocaml)
Next by thread: Re: on updating debian-security-support in stable and oldstable (due to DSA-4562-1)
Index(es):
- Date
- Thread