Status of security support in Debian stable
I would like to ask about the status of security support for LAMP
packages in Debian stable. I've noticed that security related updates
have been lagging behind upstream - for example PHP security updates
from Debian usually come out few weeks or even months after upstream
release. When next stable is released and longterm team takes over, this
delay goes away.
For me it's currently most notable in MariaDB - while version 10.0 from
Jessie has received multiple updates in past few months (after becoming
longterm), 10.1 in Stretch has not been updated in a year (and its
changelong does mention CVEs.)
Does anyone know the reason behind this? Is it because stable and
longterm maintainers have different opinions about the severity of the
vulnerabilities? Or do stable maintainers of LAMP related packages
simply have not enough time to release without delays and users are
better off using upstream releases?
Thanks for all the replies.