On Wed, Nov 07, 2012 at 10:39:15AM +0100, Raphael Hertzog wrote: > On Wed, 07 Nov 2012, Thijs Kinkhorst wrote: > > I think we should do this only when it has been shown that applying the > > fixes to the current version in stable(-security) is infeasible. Suppose > > now a simple XSS is discovered, I would be very much in favour to just > > apply that fix. > > I would as well. The trouble is that contrary to Django (for example), > upstream is not pointing out which commits are security relevant and > which versions are affected or not. > > And there's zero support for older versions. So we're on our own (and I'm > not going to do all those investigations by myself).
Mmm. I see a similar problem developing with Movable Type (which I am the sole maintainer for at the moment). I don't know what the answer is. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
