On Thu, Sep 20, 2018 at 08:17:51AM -0500, John Hasler wrote: > didier gaumet writes: > > Please note that security updates for "unstable" distribution are not > > managed by the security team. Hence, "unstable" does not get security > > updates in a timely manner. > > There is no promise of security updates to Unstable but in practice the > developers upload fixes quite promptly.
To be clear, *targeted* security fixes to unstable are exceptionally uncommon. What usually happens is that new upstream releases that fix security issues tend to be uploaded to unstable. This sometimes happens promptly and at other times can come with significant delay. The reason for the distinction of the targeted security fixes is that upstream may fix a reported security issue in their development repository, but it may be some weeks or months before a new upstream release is made with the fix. There are occasions where the package maintainer may cherry-pick the relevant commit(s), as is done for stable security updates. However, this is not the norm. Some upstreams actually make an effort to obfuscate which commits fix which security vulnerabilities, which makes the matter even more challenging. The point is that those who rely on timely security fixes should look elsewhere than unstable and testing. Regards, -Roberto -- Roberto C. Sánchez
