Re: rails security update policy

To: Bastien Roucaries <rouca@debian.org>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, Debian Security Team <security@debian.org>, debian-ruby@lists.debian.org
Subject: Re: rails security update policy
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 2 Dec 2025 21:35:54 +0100
Message-id: <[🔎] aS9NqpV29XOXsIcK@eldamar.lan>
Mail-followup-to: Bastien Roucaries <rouca@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, Debian Security Team <security@debian.org>, debian-ruby@lists.debian.org
In-reply-to: <[🔎] 6739839.K2JlShyGXD@debian-ei>
References: <6817482.G0QQBjFxQf@debian-ei> <aS3t9MqHXbtAQVm5@inutil.org> <[🔎] 6739839.K2JlShyGXD@debian-ei>

Hi Bastien,

On Mon, Dec 01, 2025 at 09:42:10PM +0100, Bastien Roucaries wrote:
> Le lundi 1 décembre 2025, 20:35:16 heure normale d’Europe centrale Moritz Mühlenhoff a écrit :
> > On Sun, Nov 30, 2025 at 07:03:32PM +0100, Bastien Roucaries wrote:
> > > Hi,
> > > 
> > > What is the rails security update policy ?
> > > 
> > > Should I backport patches individually or should we update to last stable sub version ?
> > 
> > For rails it's fine to follow the releases (for as long as they are
> > supported and then we move on to cherrypicking patches)
> Ok so:
> - for trixie I will do a sid backport

maybe it was self-exlanatory and this remark is not needed: if you do
a backport, you need to have some assurance that additional changes
are actually suitable for the lower suite.

If not you would do actually a version import on top of the current
pacakging (i.e. the -0+deb13u1 versioning scheme).

That said, I have not looked in detail if the changes between the
current trixie and unstable versions fall into that class, it is more
as a general remark about the procedure.

Regards,
Salvatore

Reply to:

References:
- Re: rails security update policy
  - From: Bastien Roucaries <rouca@debian.org>

Prev by Date: Re: rails security update policy
Previous by thread: Re: rails security update policy
Index(es):
- Date
- Thread