Backporting only the fixes does not appear to be feasible, but following upstream I supposedly not the right thing to do.
As becomes clear from the version history and security advisories, this leaves a package with quite a few issues in the repository. I believe the package should be removed from the repository if it is not possible to regularly update it. The only negative consequence of removing the package appears to be it might be less convenient to install and remove the package, but in the case of drupal7, this is a rather minor inconvenience. The benefit is clear: removing the package forces users to be aware of the need to actively watch for issues and apply updates, instead of (falsely) relying on the community maintaining the repository to take care of that. However, it might be possible to follow the upstream releases more closely, but to me it is not clear how to set the necessary macinery in motion, or contribute to the process. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1262813 Title: multiple security issues in drupal7 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/drupal7/+bug/1262813/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
