Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
My opinion might not mean much, but as a user, I agree with this. If
i'm installing from the stable depository, we expect certain things
from packages there and everything must be held to those guidelines.
And mostly if we are using it from unstable, we are hoping to see it
evolve into being put into the stable form, not just stagnate or we
won't use it, which is bad for the both the user (losing out on
promising programs) and the company (losing out on users), i think
On Tue, May 17, 2016 at 11:27 AM, Michael Stone <mstone@debian.org> wrote:
> On Tue, May 17, 2016 at 04:02:37PM +0800, seamlikok@gmail.com wrote:
>>
>> BoringSSL is also free software, as long as there are maintainers who
>> are willing to spend time on it, I think it has rights to exist in
>> Debian. Well I have been contributing to Debian for not long, so
>> please point me out my mistakes. :)
>
>
> The question is, "who does the security updates for the package 5 years from
> now". As a general rule, we don't allow private embedded copies of libraries
> because then a security update for a library means chasing down and fixing
> any number of copies. (In historic terms, this was a huge issue, for
> example, with zlib bugs.) On top of that, if the upstream says flat-out that
> it's an unstable API, putting it into a debian release seems like a bad
> idea. Putting it unstable and never letting it make it to stable is a
> possibility, but the point of unstable is to eventually get packages into a
> released version so that seems somewhat an abuse of the system. If it's
> really a standalone component that's expected to change a lot and not
> interact with anything else in debian, then putting it in an external
> repository seems like a better fit.
>
> Mike Stone
>
Reply to: