Hi Nilesh, On 26-01-2023 10:06, Nilesh Patra wrote:
I guess something that changed since then is that upstream is aware about it and can help a bit with backporting. However the onus to maintain it in stable is still on the maintainer and security@ (to some extent) It is bit of a high-effort maintainance (in stable) as far as I can see.
I may (or may not) be misunderstanding you. As a maintainer, it's up to you to commit to the effort. If you're up to it and judge it's feasible, I'm not going to block you on that. I understood you raised a concern about it being feasible, that's why we ended up here. If you commit (obviously best effort, but we'll expect you to spend time on it) *and* the security team agrees that with your commitment it's supportable, I'll remove my concern. Our concern is that we *don't* want new versions in stable to fix security issues if those new versions are not bugfix-only releases. We have to accept that for browsers, because shipping without them seems like a disservice to nearly all of our users, but still it's something we really don't like.
fasttrack still has much less visibility / availability than an official stable release, or even backports.
Obviously that will only be solved if it's more used (and/or if eventually it can be moved to the debian.org namespace.) But indeed.
Paul
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature