As micah suggests I will offer a firm commitment to actually making
the security updated packages when the hole comes out, and even drafting
the DSA and delivering it to the security team on a silver platter) and
if it becomes untenable I will support the removal
Below is the last email from upstream confirming support.
Best wishes,
- Forwarded message from Ryan Boren [EMAIL PROTECTED] -
From: Ryan Boren [EMAIL PROTECTED]
To: Kai Hendry [EMAIL PROTECTED]
Subject: Re: Etch
Date: Mon, 5 Mar 2007 13:52:27 -0800
On 3/5/07, Kai Hendry [EMAIL PROTECTED] wrote:
On 2007-03-05T09:46-0800 Ryan Boren wrote:
On 3/5/07, Kai Hendry [EMAIL PROTECTED] wrote:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413269
If you say you can confirm support 2.0.x Wordpress like you agreed to
before, I can take it from there.
We are committed to supporting 2.0.x until 2010.
I was chatting with one of the guys in debian-security and he suggests
to seal the deal, that I convince upstream (that's you) *only* to do
security fixes on the 2.0.x branch. Think we can do that?
Beyond security problems, we typically only fix very high profile bugs
such as the feedburner issue and the bugs leading up to it. We also
try to preserve forward compatibility with new releases of php, which
can be a pain in the ass. During normal circumstances, however, 2.0
is strictly security fixes. We'd had a number of those lately,
unfortunately, but that is due in part to the fact that WordPress
recently has been receiving a huge amount of security audit attention.
We're nearing the point where our security has been picked over by
everyone's fine tooth combs. After the next release, I think the
security updates should slow down.
Here the log of my discussion with micah:
19:24 Maulkin hendry: I don't see why it shoudn't be supported. 2.0.x
gets security updates only - the work required by the security team is
almost none.
19:25 -!- luk [EMAIL PROTECTED] has quit [Ping timeout:
480 seconds]
19:34 -!- SirMoo [EMAIL PROTECTED] has quit [Ping timeout: 480
seconds]
19:36 -!- luk [EMAIL PROTECTED] has joined #debian-security
19:36 -!- Netsplit charon.oftc.net - unununium.oftc.net quits: madduck,
Falco, zobel
19:38 -!- Netsplit over, joins: zobel, madduck, Falco
19:57 hendry Maulkin: exactly. Was there some debian security conference
about this I wasn't invited to?
19:57 hendry the arguments by vorlon and jmm_ are pitiful
19:59 -!- Frolic [EMAIL PROTECTED] has quit [Quit: Saindo]
20:30 CIA-1 alec-guest * r5512 /data/CVE/list: tcpdump fixed
20:47 micah hendry: yeah they met in vancouver ;)
20:48 micah hendry: the only thing that makes me concerned about
supporting the security in drupal for a couple years is that most of the
2.0.x upgrades that fix security issues also fix other issues at the same
time, so you would have to isolate the security fixes from those for stable
updates
20:50 hendry micah: that's what upstream is keen to do
20:50 hendry no new feature, just security
20:51 hendry in Wordpress btw, not drupal
20:51 micah hendry: i've tracked 2.0.6-2.0.9 and 2.1-2.1.2 and each one
of those releases has been done for security reasons and they all had other
things crammed in them besides just security fixes
20:51 micah err, sorry I was talking drupal with someone else in another
channel ;)
20:52 micah s/drupal/wordpress
20:53 hendry I think that's a little overblown
20:53 hendry but i can't recall the exact 2.0.8-2.0.9 diff
20:55 micah I dont think its overblown, if you look at the changelog of
each of thsoe you will see
20:55 micah 2.0.6 - 2.0.7 fixed security issues and feedburner issues
20:56 micah gah, they dont distribute a changelog so its not easy to
gather that quickly :)
20:56 * hendry sighs
20:56 hendry these guys are really trying hard to please Debian
20:57 hendry If I ask them to only support security fixes and not
any-other-type-fixes
20:57 micah i'm not against you here, I actually think tht it shouldn't
be kicked out
20:57 micah I'm just saying...
20:58 hendry micah: sure
20:58 micah that if they include other fixes than security ones, that
means you (or the security team if you slack) has to carve out the security
specific things
20:58 hendry i don't want to see that scenario either
20:58 hendry branching their stable branch would be madness
20:59 hendry anyway, I am just feeling the heat here.
20:59 hendry how should I resolve this with vorlon and jmm_ ?
20:59 hendry micah: have you read their arguments on the bug?
20:59 micah i dont know really
21:00 hendry if it is a democracy than my side would win, because a lot
more people support inclusion
21:00 hendry though I don't think it works like that here
21:00 hendry ;)
21:01 micah i think convincing them that it will have security support,
because you are making a firm committment to making that happen (ie.
actually making the security updated packages when the hole comes out, and
even drafting the DSA and