On Mon, Dec 04, 2023 at 10:28:02AM +0100, Adrien Nader wrote: > We talked about creating a new "openssl" package that is whatever the > most recent version is (in universe, and probably with no ESM-guarantee > attached somehow). This might need a bit of fiddling with packaging > though and in any case, I've had absolutely no time to do that so far.
Please note that this would be problematic for a number of reasons. If there's something more recent, then users start using it because it's more recent. Then they are surprised when they find that it has security caveats. This just leads to disappointment and frustration all round. We had this situation with MySQL in an LTS release many years ago, and my conclusion following that was that we should never do it again. For this reason, I think it's unacceptable to concurrently ship something newer in a given Ubuntu release unless it comes with all the same quality commitments we make for the older version. > no ESM-guarantee attached somehow I don't speak for Canonical here, but also seems unworkable because how would we describe ESM then? ESM* * except for packages X, Y and Z If you want to "ship" something like this, best be honest about it and put it in a PPA IMHO. Then it'd be clear to users that it comes with no/reduced quality commitments. Robie
signature.asc
Description: PGP signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
