One of the things to keep in mind, is that currently the packages in hoary and breezy use a 0.8.x version. When upgrading to a 0.9 series, the database schema has to be converted. For my own use, I backported a 0.9.x package to hoary some time ago, and after the upgrade I had to maually convert the database schema for each project. This didn't cause any further problems, but is makes the upgrade a bit more complicated than one would expect when installing a security update. However, backporting all security fixes is probably a lot of work for a relatively small group of users.
Possibly, the database schema upgrade could be handled by the postinst script, but that doesn't change the fact that the upgrade from 0.8.x to 0.9.x is an upgrade to a new upstream version and not just a security fix. Maybe the latest 0.9.x version should be backported and placed in -updates, since this would provide users with an upgrade path to a secure version. That leaves the default versions in hoary and breezy vulnerable, though. Wouter -- Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities https://launchpad.net/bugs/5297 -- universe-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/universe-bugs
