Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

To: Vincent Bernat <bernat@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
From: Rhonda D'Vine <rhonda@deb.at>
Date: Mon, 2 Nov 2015 09:50:08 +0100
Message-id: <[🔎] 20151102085007.GA4430@anguilla.debian.or.at>
In-reply-to: <[🔎] m37fm172a0.fsf@neo.luffy.cx>
References: <20151101222252.GC5235@pisco.westfalen.local> <[🔎] m37fm172a0.fsf@neo.luffy.cx>

* Vincent Bernat <bernat@debian.org> [2015-11-02 00:01:11 CET]:
>  ❦  1 novembre 2015 23:22 +0100, Moritz Muehlenhoff <jmm@debian.org> :
> > Security support for elasticsearch in jessie is hereby discontinued. The
> > project no longer releases information on fixed security issues which
> > allow backporting them to released versions of Debian and actively
> > discourages from doing so.
> >
> > elasticsearch will also be removed from Debian stretch (the next stable
> > Debian release), but will continue to remain in unstable and available
> > in jessie-backports.
> 
> There are many tradeoffs recently with projects that do not want to
> provide a sensible security track for stable releases:
> 
>  - always package the latest release (Chromium)
>  - always package the latest release of an upstream stable branch (MySQL)
>  - always package the latest release through backports (without using testing)
> 
> I suppose that the first two options are to be negotiated with the
> release team. Is the last option open to any package or does it need to
> be negotiated with the FTP masters?

 With my backports team hat on: The last option isn't really open, this
was a vast misunderstanding from the discussion that Moritz had with me
privately (instead of going through the backports team mail address).
I'm sorry that this left the impression that it is an option.


 In my personal opinion (i.e., without any hat on), a package that isn't
targeted for a stable release shouldn't even be uploaded to unstable.
Packages uploaded to unstable are meant to be targeted at the next
stable release and (again, personally) I consider this a bit of an abuse
to have it there "just for the sake of it".  We have the experimental
pocket for stuff that isn't targetted at the next stable release for
trying out things.[1]


 So long,
Rhonda
[1]  Yes, I'm very well aware that I'm argumenting here against myself
     with respect to wesnoth development releases; guess we'll follow
     that pattern in the future.
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Reply to:

References:
- Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
Next by Date: Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
Previous by thread: Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
Next by thread: Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
Index(es):
- Date
- Thread