[Python-modules-team] python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED

Wed May 24 10:02:18 UTC 2017

On Wed, May 24, 2017 at 11:54 AM, Rhonda D'Vine <rhonda at deb.at> wrote:

> * Jan Ingvoldstad <frettled at gmail.com> [2017-05-24 11:37:49 CEST]:
> > Basically: if you need security updates, don't rely on backports, don't
> put
> > things in backports. The backport policy is incompatible with keeping
> > systems up-to-date and secure.
>
>  That's a highly unfair statement.  The backport policy is the reason
> that maintainers are unwilling to update their backports?  Come on,
> that's a very very low blow and not a constructive comment.

Well, let's look at what the Debian Security FAQ says:

"*Q: How is security handled for unstable?*
A: Security for unstable is primarily handled by package maintainers, not
by the Debian Security Team. Although the security team may upload
high-urgency security-only fixes when maintainers are noticed to be
inactive, support for stable will always have priority. If you want to have
a secure (and stable) server you are strongly encouraged to stay with
stable.

*Q: How is security handled for testing?*

A: Security for testing benefits from the security efforts of the entire
project for unstable. However, there is a minimum two-day migration delay,
and sometimes security fixes can be held up by transitions. The Security
Team helps to move along those transitions holding back important security
uploads, but this is not always possible and delays may occur. Especially
in the months after a new stable release, when many new versions are
uploaded to unstable, security fixes for testing may lag behind. If you
want to have a secure (and stable) server you are strongly encouraged to
stay with stable."
So, as a general principle, security updates are delayed, sometimes by two
days, sometimes more.

Then we have similar issues as the ones raised by Raphael, where the life
of the package maintainer is made difficult.

As a Debian user, I have learned not to use backports for anything
important because, let's face it, I'm *toast* if I do so.

I have griped about the backports security policy years ago, and others
have, too, but you and Alexander shoot any constructive criticism down with
frankly very off-putting, negative, unconstructive responses.

This is why users tend to go to dotdeb and other external package
repositories for updated packages. We do it for PHP, we do it for Puppet,
we do it for MariaDB, MySQL, etc. The backports policy and/or the way
backports are practically handled are in the way.

Until this changes, it's security 101 to stay away from backports, sorry.
-- 
Jan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20170524/27e42e16/attachment-0001.html>