Re: maintaining debian-security-support in stable, oldstable (and oldoldstable)

To: debian-release@lists.debian.org, Holger Levsen <holger@layer-acht.org>
Cc: team@security.debian.org
Subject: Re: maintaining debian-security-support in stable, oldstable (and oldoldstable)
From: Chris Hofstaedtler <zeha@debian.org>
Date: Sun, 31 May 2020 17:13:02 +0200
Message-id: <[🔎] 20200531151302.sxtrk4bqwgaosao3@percival.namespace.at>
In-reply-to: <[🔎] 20200530221414.GC21214@layer-acht.org>

Hi Holger,

> i just dont think releasing d-s-s updates via point releases makes sense.
> and often they also dont warrant a security/lts update as they come with
> DSAs/DLAs and mostly the d-s-s updates are based on DSA/DLAs and thus such
> DSA/DLAs would just refer to the other ones.

May I ask you to expand on "why" a little bit, please?

Personally I don't know about the process for when d-s-s gets
updated. I would somehow expect that d-s-s gets updated, for
(old)stable, when a DSA/DLA is being issued, where the DxA probably
said "package X is not supported anymore" or "package Y will not be
supported after Z".

If my assumption is correct, then I'd suggest uploading d-s-s at the
same time as issuing the DxA, to $suite-security. (*)

I feel that this would be important for people with automated
monitoring - they will immediately see alerts for packages they have
installed, which became unsupported.

NB: all of this assumes data-only changes in d-s-s.


Chris


*: if that needs a policy change, i feel the change would be
warranted.

Reply to:

References:
- maintaining debian-security-support in stable, oldstable (and oldoldstable)
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Bug#961921: buster-pu: package php-horde-gollem/3.0.12-3+deb10u1
Next by Date: Bug#894049: marked as done (transition: ncurses)
Previous by thread: maintaining debian-security-support in stable, oldstable (and oldoldstable)
Next by thread: Processed: block 951674 with 961836
Index(es):
- Date
- Thread