[Mageia-dev] RFC: Opening Backports (once again...)

[Buchan Milne]

On Sunday, 11 December 2011 19:43:35 Florian Hubold wrote:
\
> 
> Whatever the decision is, maybe we could tie this to some conditions:
> Only allow backports if there are near-zero security/critical bugs for the
> stable release or if there are no open bugs for the package in question?

Well, my first question is, *who* is *responsible* for security updates? This 
is not specified in the updates policy (the role assigned to build the 
security update is named 'Maintainer (or any interested packager)', but who is 
responsible for checking that we have all applicable updates? In Mandriva, it 
was the responsibility of the security team (with cooperation from the 
maintainer in some cases).

At some stage we also need to look at providing vulnerability data in a 
suitable format that supports automated validation (e.g. OVAL?), and a site 
able to browse advisories.

> Just some random crazy idea ...
> 
> IMHO we should focus on security and bugfixes for the stable release,
> and there are currently too many security bugs open, some for a
> really long time, where nothing is happening for months, yet we still
> talk and concern about opening backports.

FYI: the reason I have been slow on updates for Mageia is that I still have 
systems running Mandriva, precisely because the bacports situation has not 
been finalised, and I don't want to submit all missing packages in Mageia 1 to 
updates. Once backports is open, I can drop some Mandriva packages, and spend 
more time contributing to Mageia.

So, you can't necessarily say that backports steals time from updates ...

Regards,
Buchan