Re: php vulnerabilities
* Michael Stone:
> The two programs are different cases. I think a reasonable question has
> been raised, and debian does need to come up with a better solution for
> dealing with packages which will not be maintainable over the course of
> a stable release.
For a reasonable policy, we need more input from the security team.
Security patches don't grow on trees, and I believe the team doesn't
create all patches themselves, either. AFAIK, the extent of
cooperation with other vendors is not really documented publicly
(perhaps rightly so).
My best guess is that things are fine until Debian is the last guy
left in town, and no one else (upstream, other vendors) support the
version in stable. Is this correct?