[Python-modules-team] python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED

Rhonda D'Vine rhonda at deb.at
Wed May 24 11:12:48 UTC 2017 

* Jan Ingvoldstad <frettled at gmail.com> [2017-05-24 12:02:18 CEST]:
> On Wed, May 24, 2017 at 11:54 AM, Rhonda D'Vine <rhonda at deb.at> wrote:
> > * Jan Ingvoldstad <frettled at gmail.com> [2017-05-24 11:37:49 CEST]:
> > > Basically: if you need security updates, don't rely on backports, don't
> > put
> > > things in backports. The backport policy is incompatible with keeping
> > > systems up-to-date and secure.
> >
> >  That's a highly unfair statement.  The backport policy is the reason
> > that maintainers are unwilling to update their backports?  Come on,
> > that's a very very low blow and not a constructive comment.
> 
> 
> Well, let's look at what the Debian Security FAQ says:
> 
> *Q: How is security handled for testing?*
> 
[...]
> So, as a general principle, security updates are delayed, sometimes by two
> days, sometimes more.

 Right.  And backports could (and should) have the security updates in
the same timeframe (or earlier) as testing.  That possibility is
actively hindered if the version in backports does differ from that.
With the upload exception for fast-tracking of security issues backports
should have it even faster than testing, that's the idea behind it.


> Then we have similar issues as the ones raised by Raphael, where the life
> of the package maintainer is made difficult.

 He actively chose to ignore the guidelines, and actively chose to not
communicate about that.  That's very disappointing, for everyone.

> As a Debian user, I have learned not to use backports for anything
> important because, let's face it, I'm *toast* if I do so.

 The same goes for testing.

> I have griped about the backports security policy years ago, and others
> have, too, but you and Alexander shoot any constructive criticism down with
> frankly very off-putting, negative, unconstructive responses.

 I have actively worked with the security team to get backports
integrated into the security tracker, to be able to ease the job of
tracking issues.  I've also actively poked people to update their
backports, and in case they didn't have the time I offered to do the
upload.  That was before I got into the team.  And that was *only*
possible because packages were kept in sync on a more or less regular
basis.

 Unfortunately it looks like many decided to move away from there,
without communication, which is highly depressing, and yes, I can see
that it is perceived as negative unconstructive response to a
non-communication approach by those maintainers.  That very approach
which stirred these discussions was very unconstructive and negative to
start off with.  If you consider it only constructive to accept that
people ignore the rules then I'm very sorry, I'm not available for that.
What I am very much available is to have a discussion on equal grounds
and *not* on a forcing-my-view-by-ignoring-the-rules level.

> This is why users tend to go to dotdeb and other external package
> repositories for updated packages. We do it for PHP, we do it for Puppet,
> we do it for MariaDB, MySQL, etc. The backports policy and/or the way
> backports are practically handled are in the way.

 Again, it's not the backports policy that hinders the security updates.
It's the opinion of backporters that actively ignore that policy and see
their own approach which actively works against the policy to be the
only way to get this resolved, and refuse to communicate or coordinate
beforehand to see how to move forward.  The rules are there for a reason
- to actually *ease* the possibility to get security fixes in, not to
make it harder.

> Until this changes, it's security 101 to stay away from backports, sorry.

 There is no security team for backports indeed, as there is none for
testing neither.  The approach for testing is just easier because it has
this very strict rule as that it ultimately can only have packages from
unstable moving over.  The more relaxed possibility for backports (and
human mistakes in accepting such uploads) is the cause of this issue,
not the solution.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

More information about the Python-modules-team mailing list