[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life

Moritz Mühlenhoff <jmm@inutil.org> writes:
> Vincent Bernat <bernat@debian.org> wrote:
>> There are many tradeoffs recently with projects that do not want to
>> provide a sensible security track for stable releases:
>>  - always package the latest release (Chromium)
> For chromium and iceweasel the vast amount of security issues doesn't leave
> much other options.
> elasticsearch isn't that category, they simply have chosen to be secretive
> from now on and I don't see why we should cater to uncooperative upstreams
> with special handling.
> Hopefully we'll have PPAs/bikesheds soon, that seems like a proper candidate
> for cases like that.

That's in the end just pretending the problem doesn't exist? What is the
practical difference for users between blindly[1] updating a package in
stable and moving it to a PPA?

I'm really not a fan of moving stuff out of the official release and
pushing users to use extra repositories :-/


  [1] As in no extra review by the release/security team as otherwise
      there is a difference in the amount of work needed.

Reply to: