[Python-modules-team] python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED

Adrian Bunk bunk at debian.org
Wed May 24 10:46:27 UTC 2017 

On Wed, May 24, 2017 at 11:55:45AM +0200, Raphael Hertzog wrote:
> On Wed, 24 May 2017, Jan Ingvoldstad wrote:
> > Basically: if you need security updates, don't rely on backports, don't put
> > things in backports. The backport policy is incompatible with keeping
> > systems up-to-date and secure.
> [...] 
> > I strongly recommend not using backports for anything else, and certainly
> > not in production.
> 
> This is not in line with DSA's policy. If we need anything newer than
> stable for a service hosted by DSA, then we have to use packages in
> stable-backports.
> 
> This is because backports maintainers are expected to keep the packages
> they upload there as secure.

"are expected" != "are actually doing"

> If the rules are not allowing us to do that, then the rules are bad.

The biggest general problems are not the rules.

If the person who did two years ago the jessie backport of a package 
used by DSA retired from Debian a year ago or is one of the many MIA 
developers, how are the machines maintained by DSA kept secure today?

> That said, just because we need something newer and secure, does not mean
> that we always want to track every major update from testing during the
> whole lifetime of stable-backports.

Let's go away from the special case where you are both the backport 
maintainer and the user, and look at the general problem.

The policy change you want would permit maintaining 1.8 in 
jessie-backports, but it would still allow the normal way
of uploading 1.10 from stretch to jessie-backports.

Imagine someone else would have done the python-django backport,
and would upload 1.10 to jessie-backports today.
What would you as user do?

Using a package from backports is supposed to allow tracking that
specific package from testing in stable without upgrading everything
else to testing.

It cannot guarantee the stability of not changing in incompatible 
ways you can expect from a package in stable.

> Cheers,

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the Python-modules-team mailing list