[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unstable update ridiculousness

On Thu, Sep 20, 2018 at 08:17:51AM -0500, John Hasler wrote:
> didier gaumet writes:
> > Please note that security updates for "unstable" distribution are not
> > managed by the security team. Hence, "unstable" does not get security
> > updates in a timely manner.
> There is no promise of security updates to Unstable but in practice the
> developers upload fixes quite promptly.

To be clear, *targeted* security fixes to unstable are exceptionally
uncommon.  What usually happens is that new upstream releases that fix
security issues tend to be uploaded to unstable.  This sometimes happens
promptly and at other times can come with significant delay.

The reason for the distinction of the targeted security fixes is that
upstream may fix a reported security issue in their development
repository, but it may be some weeks or months before a new upstream
release is made with the fix.  There are occasions where the package
maintainer may cherry-pick the relevant commit(s), as is done for stable
security updates.  However, this is not the norm.  Some upstreams
actually make an effort to obfuscate which commits fix which security
vulnerabilities, which makes the matter even more challenging.

The point is that those who rely on timely security fixes should look
elsewhere than unstable and testing.



Roberto C. Sánchez

Reply to: