On Wed, 24 May 2017, Adrian Bunk wrote: > > This is because backports maintainers are expected to keep the packages > > they upload there as secure. > > "are expected" != "are actually doing" > > > If the rules are not allowing us to do that, then the rules are bad. > > The biggest general problems are not the rules. > > If the person who did two years ago the jessie backport of a package > used by DSA retired from Debian a year ago or is one of the many MIA > developers, how are the machines maintained by DSA kept secure today?
Adrian, you keep diverting the discussion to something entirely else. I'm stopping here. You are bringing into light known problems that have currently no good answers. But those problems exist with the current policy already. So they are irrelevant in the discussion of my requested change. My request is not making that worse or better. > Imagine someone else would have done the python-django backport, > and would upload 1.10 to jessie-backports today. > What would you as user do? You are again diverting the discussion to another problem. This is not my situation... in the general case, the user can't rely on the version in jessie-backports to not change in backwards incompatible way. But I'm the maintainer and I can promise more than the baseline. I can tell my users "I will keep maintaining the current LTS version as long as it's support upstream" in $stable-backports. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ _______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
