[Python-modules-team] python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED

[Russ Allbery]

Jan Ingvoldstad <frettled at gmail.com> writes:

> As a Debian user, I have learned not to use backports for anything
> important because, let's face it, I'm *toast* if I do so.

> I have griped about the backports security policy years ago, and others
> have, too, but you and Alexander shoot any constructive criticism down
> with frankly very off-putting, negative, unconstructive responses.

This is completely absurd.  I have used backports for production packages
for years, including packages for which I need security updates.  You are
being far too absolutist and, by doing so, insulting to the hard work that
people put into maintaining backports.

It is true that the security support in backports is *not as good* and
*not as reliable* as the (best-in-class) security support offered for the
main Debian distribution.  This is fine, or at least entirely expected.
Fewer resources go into backports, and the person maintaining the backport
has primary responsibility for security, without the support of a regular
security team.  You need to go into this with your eyes open.  However, it
is absolutely not the case that you're "toast" if there's a security
issue; you can ask that it be fixed, or you can even fix it yourself!

My experience is that the security support for Debian backports is still
better than the security support for, say, Ubuntu universe in an LTS
release, which people use in production without a second thought despite
the fact that the security guarantees are nearly non-existent and the
support is often dire.  The standard you're applying here is much too
high.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>