Re: [SECURITY] [DSA 3389-1] elasticsearch end-of-life
Moritz Mühlenhoff <jmm@inutil.org> writes:
> Vincent Bernat <bernat@debian.org> wrote:
>> There are many tradeoffs recently with projects that do not want to
>> provide a sensible security track for stable releases:
>>
>> - always package the latest release (Chromium)
>
> For chromium and iceweasel the vast amount of security issues doesn't leave
> much other options.
>
> elasticsearch isn't that category, they simply have chosen to be secretive
> from now on and I don't see why we should cater to uncooperative upstreams
> with special handling.
>
> Hopefully we'll have PPAs/bikesheds soon, that seems like a proper candidate
> for cases like that.
That's in the end just pretending the problem doesn't exist? What is the
practical difference for users between blindly[1] updating a package in
stable and moving it to a PPA?
I'm really not a fan of moving stuff out of the official release and
pushing users to use extra repositories :-/
Ansgar
[1] As in no extra review by the release/security team as otherwise
there is a difference in the amount of work needed.
Reply to: