Florian Weimer wrote:
That's why it might be good to have a second, distinct security path ("security essentially managed by upstream") (or whichever other path will be available). Integrated in the packet management system, but maybe with non-automatic upgrades ("New upgrades available -- do you want package X ?"), or automatic at the discretion of the trusting user.* Some upstream authors do not provide specific security fixes (PHP, Mozilla, GNU libc). Sometimes, no backports for the version in stable are available, and the packages are too complex that we can prepare them in a reasonable timeframe. * Some fixes are very invasive (because they address design issues) and thus impossible to backport. * security.debian.org is a single point of ownership. If we push out a malicious security update, really interesting things might happen.
From a user point of view, I'd appreciate if the debian team could ensure that no data is lost while doing such upgrades. E.g., I'm not sure that while upgrading from one mozilla version to the next, every user data (profile, mail, plugins etc.) is always correctly imported. In such a case, perhaps the team could provide the necessary conversion scripts, urge such improvements from upstream, or both.
Peer