On Mon, Dec 04, 2023 at 10:28:02AM +0100, Adrien Nader wrote:
> We talked about creating a new "openssl" package that is whatever the
> most recent version is (in universe, and probably with no ESM-guarantee
> attached somehow). This might need a bit of fiddling with packaging
> though and in any case, I've had absolutely no time to do that so far.

Please note that this would be problematic for a number of reasons.

If there's something more recent, then users start using it because it's
more recent. Then they are surprised when they find that it has security
caveats. This just leads to disappointment and frustration all round.

We had this situation with MySQL in an LTS release many years ago, and
my conclusion following that was that we should never do it again.

For this reason, I think it's unacceptable to concurrently ship
something newer in a given Ubuntu release unless it comes with all the
same quality commitments we make for the older version.

> no ESM-guarantee attached somehow

I don't speak for Canonical here, but also seems unworkable because how
would we describe ESM then?


  * except for packages X, Y and Z

If you want to "ship" something like this, best be honest about it and
put it in a PPA IMHO. Then it'd be clear to users that it comes with
no/reduced quality commitments.


Attachment: signature.asc
Description: PGP signature

Ubuntu-devel-discuss mailing list
Modify settings or unsubscribe at: 

Reply via email to