[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#906012: libxcursor: CVE-2015-9262

Process questions are very much off-topic for this bug report, but...

On 08/30/2018 09:43 AM, Bjoern wrote:
> As I am clearly unfamiliar with your processes, I really would
> appreciate the clarification to better my understanding and perhaps
> quell my concerns:
> 
>  * How far away is the 9.6 point release (given that 9.5 was released
> just over 1.5 months ago)?
> 
The aim is to have point releases roughly every couple of months.  In
practice anywhere between 2 to 4 is common.

>  * Why could the issue not be dealt with by simply supplying the fix in
> the nearer term as a security update?  Would it not be better to err on
> the side of caution?
> 
Any change in stable comes with risk (e.g. of regressions), it comes
with a cost both to the security team and to all users who need to apply
the update.  So the security team and/or package maintainers make a
risk/cost vs benefit analysis for any given issue and decide whether to
leave it unfixed or fix it through in a point release or fix it through
security.debian.org.

Cheers,
Julien
Reply to: