On Thu, Nov 24, 2016 at 07:08:33PM +0100, Daniel Pocock wrote: > > > On 24/11/16 17:39, Adrian Bunk wrote: > > On Thu, Nov 24, 2016 at 05:22:29PM +0100, Daniel Pocock wrote: > >> ... > >> For networked services, it is different. > >> > >> Debian has already been carrying updated versions of Firefox and > >> Chromium in stable including bundled dependencies too. Maybe we need to > >> have an objective way of deciding which other projects genuinely deserve > >> the same treatment. > >> ... > > > > The problem with Firefox/Chromium is not "networked services". > > > > The problem is that it is not feasible to backport all security fixes > > to a 3 year old version of such a browser. > > > > And the "objective way of deciding" is that not shipping any web browser > > would not be a realistic option. > > > > For nearly any other package, not shipping it in a stable is the better > > option for Debian. > > Why do you say it is the better option? > > If a package is very useful and has made certain efforts to be stable > (e.g. not arbitrarily changing the command line syntax) and it is a leaf > package, maybe it is time to consider it?
Every update you put into stable might get automatically deployed to millions of computers running unattended-upgrades (or similar). Only doing "certain efforts to be stable" could easily result in huge outages somewhere. > The alternative is that more and more frequently, the user is tempted to > get things from upstream apt repositories. If many upstreams go down > that path and more users accept it as normal, the net result may be even > worse. When upstream is very volatile, this is a decent option. > Regards, > > Daniel cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed