Re: Wheezy update of irssi?

2018-02-22 Thread Rhonda D'Vine 
* Antoine Beaupré <anar...@orangeseeds.org> [2018-02-16 21:01:48 CET]:
> On 2017-12-22 13:53:46, Rhonda D'Vine wrote:
> > * Emilio Pozuelo Monfort <po...@debian.org> [2017-12-19 20:04:57 CET]:
> >  Given that you would be paid to do the update and me not there is
> > little sense for me to do it, right?  Don't want to step in the way of
> > payrolls.
> 
> Hi Rhonda,
> 
> I am not sure how you want us to proceed from here on... There has been
> yet another set of security issues discovered in irssi, as documented
> here:
> 
> https://irssi.org/security/html/irssi_sa_2018_02/

 I am aware.

> It's your call, really. If you see another option, I'd be happy to hear
> it as well.

 I thought my above statement should have been clear enough?  Again,
I don't want to step in the way of your payrolls, and I am still a
bit disturbed by the fact that oldoldstable gets more attention than
oldstable or stable for the matter, still believe that the priorities
with respect to that are the wrong way around, but you are free to do
what you can and should do, this is still a voluntary project.

 I plan to work on 1.0.7 for unstable, haven't yet made up my mind if I
want to switch to the 1.1 branch (1.0 is said to be supported by
upstream specificly for long time, 1.2 will be the next maintenance
branch), and after that would go so-to-say "top down" from newest
release to oldest release, not the other way around.  So I won't get in
your way there unless I have enough time to get there earlier than you.

 It still would be nice to get some git patchsets for your uploads so I
can apply them to the repository, but my priorities are definitely
rather on fixing-more-current-releases-first than oldoldstable as
highest priority.

> I hope you are well! I'll probably be available to discuss this in
> person at DebConf Taiwan if you'd rather avoid an another email
> discussion, although that is rather far in the future...

 Also looking forward to be there. :)
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Re: Wheezy update of irssi?

2017-12-22 Thread Rhonda D'Vine 
 Hi there,

* Emilio Pozuelo Monfort  [2017-12-19 20:04:57 CET]:
> On 26/10/17 22:59, Thorsten Alteholz wrote:
> > as the irssi issues are already fixed upstream[1], I added you to 
> > dla-needed.txt
> > for it.
> > 
> > If you don't want to take care of this update, please tell us and then the 
> > LTS
> > Team will handle it.
> 
> We didn't hear from you. Are you planning to work on this? If not, I'll take
> over this to provide an update for wheezy.

 Given that you would be paid to do the update and me not there is
little sense for me to do it, right?  Don't want to step in the way of
payrolls.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Re: Wheezy update of irssi?

2017-09-05 Thread Rhonda D'Vine 
Dear Lucas,

 maybe you should look into the git repository of the package instead of
assuming what I might mean.  Because like written, I specificly mean
CVE-2017-10965 and CVE-2017-10966 which are fixed in the package that I
uploaded to stretch-proposed and was approved (see #870659).  It is also
found in the corresponding bugreport for those IDs (#867598).

 So, no, I'm not "probably talking about CVE-2017-5393 e CVE-2017-5394".
In case you don't find it through the package metadata, the link to the
git commitdiff is here:
http://git.deb.at/w/pkg/irssi.git/commitdiff/41f84e8

 Enjoy,
Rhonda


* Lucas Kanashiro <kanash...@debian.org> [2017-09-05 13:44:29 CEST]:
> Hi Rhonda,
> 
> The 2 CVEs that I marked as no DSA, security team did the same for
> stretch: CVE-2017-10965 e CVE-2017-1066. Probably you are talking about
> CVE-2017-5393 e CVE-2017-5394, maybe CVE-2017-5356. Those were marked as
> no DSA by another member of the team (LTS and/or security), so I did not
> intend to override someone else decision. If other members of the team
> agree with that I can promptly prepare an upload for these issues
> targeting Jessie and wheezy.
> 
> I am not here avoiding do things or trying to make your life difficult.
> I am on your side. If I am able to do that I will.
> 
> Cheers,
> 
> On 2017-09-05 08:06, Rhonda D'Vine wrote:
> > Hi,
> > 
> >  erm, those two are already in the stretch-proposed-updates, it
> > shouldn't be much of a burden to carry that over to jessie and then
> > wheezy.  If you really think of leaving those out while they are readily
> > available this looks kinda strange to me, and is just wasted efford
> > because I will have to push them there if you don't.
> > 
> >  So long,
> > Rhonda
> > 
> > 
> > * Lucas Kanashiro <kanashiro.dua...@gmail.com> [2017-09-04 18:54:45 CEST]:
> >> Hi,
> >>
> >> After review the 4 CVEs [0] that affect irssi in wheezy I intend to follow
> >> the Security Team and mark the CVE-2017-10965 and CVE-2017-10966 as no-DSA
> >> and fix the another two, CVE-2017-9468 and CVE-2017-9469. I've prepared an
> >> upload for wheezy-security based on the two patches provided by the
> >> Security Team to fix the mentioned CVEs in jessie, the debdiff is attached.
> >>
> >> If someone has a different idea in mind share with me please.
> >>
> >> Cheers.
> >>
> >> [0] https://security-tracker.debian.org/tracker/source-package/irssi
> >>
> >>
> >> 2017-08-31 8:02 GMT-03:00 Lucas Kanashiro <kanashiro.dua...@gmail.com>:
> >>
> >> > Hi Rhonda,
> >> >
> >> > Do not worry, I can handle that for you, wheezy and jessie. Should I send
> >> > a debdiff to you for revision?
> >> >
> >> > Thanks for your fast reply.
> >> >
> >> > Cheers.
> >> >
> >> >
> >> > Em 31 de ago de 2017 05:04, "Rhonda D'Vine" <rho...@deb.at> escreveu:
> >> >
> >> > Hi,
> >> >
> >> >  there is no update in jessie yet for that, and I try to do such things
> >> > top-down.  I still believe that the priority should be on that instead
> >> > of on the LTS release, but I understand that that doesn't get payment.
> >> >
> >> >  I'm still quite busy here, and the issue is not that big of one, but if
> >> > you want to prepare an wheezy update before I can find the time to
> >> > tackle it pretty please also do a jessie one right ahead too, otherwise
> >> > it looks kinda skew and gives a false impression of your intentions.
> >> >
> >> >  Enjoy,
> >> > Rhonda
> >> >
> >> >
> >> > * Lucas Kanashiro <kanashiro.dua...@gmail.com> [2017-08-30 22:42:27 
> >> > CEST]:
> >> > > Hi all,
> >> > >
> >> > > Any news about this? Will maintainers take care of irssi CVEs in 
> >> > > wheezy?
> >> > >
> >> > > As Antoine said, irssi is one of the packages in our radar. I will wait
> >> > an
> >> > > answer until the end of the week, otherwise I'll prepare an upload 
> >> > > based
> >> > on
> >> > > patches in jessie and stretch.
> >> > >
> >> > > Cheers.
> >> > >
> >> > >
> >> > > 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <anar...@orangeseeds.org>:
> >> > >
> >> > > > On 2017-06-09 10:22:37, Rh

Re: Wheezy update of irssi?

2017-09-05 Thread Rhonda D'Vine 
   Hi,

 erm, those two are already in the stretch-proposed-updates, it
shouldn't be much of a burden to carry that over to jessie and then
wheezy.  If you really think of leaving those out while they are readily
available this looks kinda strange to me, and is just wasted efford
because I will have to push them there if you don't.

 So long,
Rhonda


* Lucas Kanashiro <kanashiro.dua...@gmail.com> [2017-09-04 18:54:45 CEST]:
> Hi,
> 
> After review the 4 CVEs [0] that affect irssi in wheezy I intend to follow
> the Security Team and mark the CVE-2017-10965 and CVE-2017-10966 as no-DSA
> and fix the another two, CVE-2017-9468 and CVE-2017-9469. I've prepared an
> upload for wheezy-security based on the two patches provided by the
> Security Team to fix the mentioned CVEs in jessie, the debdiff is attached.
> 
> If someone has a different idea in mind share with me please.
> 
> Cheers.
> 
> [0] https://security-tracker.debian.org/tracker/source-package/irssi
> 
> 
> 2017-08-31 8:02 GMT-03:00 Lucas Kanashiro <kanashiro.dua...@gmail.com>:
> 
> > Hi Rhonda,
> >
> > Do not worry, I can handle that for you, wheezy and jessie. Should I send
> > a debdiff to you for revision?
> >
> > Thanks for your fast reply.
> >
> > Cheers.
> >
> >
> > Em 31 de ago de 2017 05:04, "Rhonda D'Vine" <rho...@deb.at> escreveu:
> >
> > Hi,
> >
> >  there is no update in jessie yet for that, and I try to do such things
> > top-down.  I still believe that the priority should be on that instead
> > of on the LTS release, but I understand that that doesn't get payment.
> >
> >  I'm still quite busy here, and the issue is not that big of one, but if
> > you want to prepare an wheezy update before I can find the time to
> > tackle it pretty please also do a jessie one right ahead too, otherwise
> > it looks kinda skew and gives a false impression of your intentions.
> >
> >  Enjoy,
> > Rhonda
> >
> >
> > * Lucas Kanashiro <kanashiro.dua...@gmail.com> [2017-08-30 22:42:27 CEST]:
> > > Hi all,
> > >
> > > Any news about this? Will maintainers take care of irssi CVEs in wheezy?
> > >
> > > As Antoine said, irssi is one of the packages in our radar. I will wait
> > an
> > > answer until the end of the week, otherwise I'll prepare an upload based
> > on
> > > patches in jessie and stretch.
> > >
> > > Cheers.
> > >
> > >
> > > 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <anar...@orangeseeds.org>:
> > >
> > > > On 2017-06-09 10:22:37, Rhonda D'Vine wrote:
> > > > > Dear Ola,
> > > > >
> > > > >  this is on my board.  The issue isn't that pressing, and I want to
> > fix
> > > > > it for stretch and jessie too, and only do the update for wheezy
> > after
> > > > > those got approved (which I expect).  If it won't be approved for
> > > > > stretch and jessie there is quite little sense to invest to fix it
> > just
> > > > > for wheezy. :)
> > > > >
> > > > >  At least it won't get tackled by the security team, so I don't see
> > much
> > > > > of a pressure that the LTS team should put it high on its priority,
> > > > > there are probably more pressuring things to fix.
> > > >
> > > > Hi Rhonda!
> > > >
> > > > Just to let you know, it's not high priority, but it's still on our
> > > > dashboard. :) LTS issues are prioritized by how many people have the
> > > > affected packages installed, and irssi is one of the packages that have
> > > > "votes". Considering it's a remote DOS, I still believe it's worth
> > > > fixing.
> > > >
> > > > We are happy, of course, to wait for you to make the update if you
> > still
> > > > plan on doing so, now that updates trickled down in stretch/jessie. Do
> > > > let us know, however, if you want the LTS team to take care of it for
> > > > wheezy.
> > > >
> > > > Thanks!
> > > >
> > > > A.
> > > >
> > > > --
> > > > La destruction de la société totalitaire marchande n'est pas une
> > affaire
> > > > d'opinion. Elle est une nécessité absolue dans un monde que l'on sait
> > > > condamné. Puisque le pouvoir est partout, c'est partout et tout le
> > temps
> > > > qu'il faut le combattre. - Jean-François Brient, de la servitude
> > moderne
> > > >
> > > >
> > >
> > >
> > > --
> > > Lucas Kanashiro
> >
> > --
> > Fühlst du dich mutlos, fass endlich Mut, los  |
> > Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
> > Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
> > Fühlst du dich haltlos, such Halt und lass los|
> >
> >
> >
> 
> 
> -- 
> Lucas Kanashiro



-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Re: Wheezy update of irssi?

2017-08-31 Thread Rhonda D'Vine 
Hi,

 there is no update in jessie yet for that, and I try to do such things
top-down.  I still believe that the priority should be on that instead
of on the LTS release, but I understand that that doesn't get payment.

 I'm still quite busy here, and the issue is not that big of one, but if
you want to prepare an wheezy update before I can find the time to
tackle it pretty please also do a jessie one right ahead too, otherwise
it looks kinda skew and gives a false impression of your intentions.

 Enjoy,
Rhonda


* Lucas Kanashiro <kanashiro.dua...@gmail.com> [2017-08-30 22:42:27 CEST]:
> Hi all,
> 
> Any news about this? Will maintainers take care of irssi CVEs in wheezy?
> 
> As Antoine said, irssi is one of the packages in our radar. I will wait an
> answer until the end of the week, otherwise I'll prepare an upload based on
> patches in jessie and stretch.
> 
> Cheers.
> 
> 
> 2017-06-27 15:33 GMT-03:00 Antoine Beaupré <anar...@orangeseeds.org>:
> 
> > On 2017-06-09 10:22:37, Rhonda D'Vine wrote:
> > > Dear Ola,
> > >
> > >  this is on my board.  The issue isn't that pressing, and I want to fix
> > > it for stretch and jessie too, and only do the update for wheezy after
> > > those got approved (which I expect).  If it won't be approved for
> > > stretch and jessie there is quite little sense to invest to fix it just
> > > for wheezy. :)
> > >
> > >  At least it won't get tackled by the security team, so I don't see much
> > > of a pressure that the LTS team should put it high on its priority,
> > > there are probably more pressuring things to fix.
> >
> > Hi Rhonda!
> >
> > Just to let you know, it's not high priority, but it's still on our
> > dashboard. :) LTS issues are prioritized by how many people have the
> > affected packages installed, and irssi is one of the packages that have
> > "votes". Considering it's a remote DOS, I still believe it's worth
> > fixing.
> >
> > We are happy, of course, to wait for you to make the update if you still
> > plan on doing so, now that updates trickled down in stretch/jessie. Do
> > let us know, however, if you want the LTS team to take care of it for
> > wheezy.
> >
> > Thanks!
> >
> > A.
> >
> > --
> > La destruction de la société totalitaire marchande n'est pas une affaire
> > d'opinion. Elle est une nécessité absolue dans un monde que l'on sait
> > condamné. Puisque le pouvoir est partout, c'est partout et tout le temps
> > qu'il faut le combattre. - Jean-François Brient, de la servitude moderne
> >
> >
> 
> 
> -- 
> Lucas Kanashiro

-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Re: Wheezy update of irssi?

2017-06-09 Thread Rhonda D'Vine 
Dear Ola,

 this is on my board.  The issue isn't that pressing, and I want to fix
it for stretch and jessie too, and only do the update for wheezy after
those got approved (which I expect).  If it won't be approved for
stretch and jessie there is quite little sense to invest to fix it just
for wheezy. :)

 At least it won't get tackled by the security team, so I don't see much
of a pressure that the LTS team should put it high on its priority,
there are probably more pressuring things to fix.

 Enjoy,
Rhonda


* Ola Lundqvist  [2017-06-08 21:38:54 CEST]:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of irssi:
> https://security-tracker.debian.org/tracker/CVE-2017-9468
> https://security-tracker.debian.org/tracker/CVE-2017-9469
> (these two CVEs refer to the same patch)
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of irssi updates
> for the LTS releases.
> 
> Thank you very much.

-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Accepted irssi 0.8.15-5+deb7u1 (source amd64) into oldstable

2016-11-25 Thread Rhonda D'Vine 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 24 Sep 2016 16:10:19 +0200
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 0.8.15-5+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Gerfried Fuchs <rho...@debian.org>
Changed-By: Rhonda D'Vine <rho...@debian.org>
Description: 
 irssi  - terminal based IRC client
 irssi-dev  - terminal based IRC client - development files
Closes: 838762
Changes: 
 irssi (0.8.15-5+deb7u1) wheezy-security; urgency=high
 .
   * New patch 23fix-buf.pl to fix an information exposure issue involved with
 using buf.pl and /upgrade (CVE-2016-7553, closes: #838762)
Checksums-Sha1: 
 8580f994688fdc87b2512463132dd709eee40bd5 1901 irssi_0.8.15-5+deb7u1.dsc
 b7cdcbd0399fac6e1dd14d5604c435a3d2e3eb18 1298691 irssi_0.8.15.orig.tar.gz
 89994b3ba7bb4df6f35cfd41b221c484cdf76fb2 18821 irssi_0.8.15-5+deb7u1.diff.gz
 3e3224fcb8cfbb8415cfbb13d5c4288db694b155 1156054 
irssi_0.8.15-5+deb7u1_amd64.deb
 29bd7b59a06758c91858192a8e037e10799022ce 296004 
irssi-dev_0.8.15-5+deb7u1_amd64.deb
Checksums-Sha256: 
 cbd8cb8fb2fccf95b13d975fc4b03ae4bf28f3bedba967aa7ae0373f72fa41da 1901 
irssi_0.8.15-5+deb7u1.dsc
 c15957cd898cc71eeae389b5a71055693b95794667e637da3327553661e4c6de 1298691 
irssi_0.8.15.orig.tar.gz
 b8b6df7281ef67cdbd93937d2536135d47d6d003ebb432a5b64e1e3dd9970db1 18821 
irssi_0.8.15-5+deb7u1.diff.gz
 7a87e12754eda56fbb02e80a29194c34cb2b94e9f41b1cd273661a2dd62fec20 1156054 
irssi_0.8.15-5+deb7u1_amd64.deb
 496c08ab1c9e74526c810ac491a60b8ff84c216f8106508a89b5b02c2fb3cba3 296004 
irssi-dev_0.8.15-5+deb7u1_amd64.deb
Files: 
 680b1923e3b3740bab20f29157246868 1901 net optional irssi_0.8.15-5+deb7u1.dsc
 870db8e319f640c2bf446c30d0c24ef6 1298691 net optional irssi_0.8.15.orig.tar.gz
 b1985fdb255b0f93de419530feabe680 18821 net optional 
irssi_0.8.15-5+deb7u1.diff.gz
 1f1ba6c89758ab5a41cc4f9ddb2a7d8a 1156054 net optional 
irssi_0.8.15-5+deb7u1_amd64.deb
 9ac231c2a29561e6863d00ae61a6bd40 296004 net optional 
irssi-dev_0.8.15-5+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJYOJl2AAoJEN7oBD7hfrsw4kQP/A5KngfvR/SQm15kW7325zxN
geGpgqJspm84g2CeW9oyjnmkUSteYEaxdJTunJtF6fGGb04OdavBBA/39ZrpFljV
yaaN91NJH8G/rI6k2WSBgOpVG8+bu9I1A3LJatYp22x8KwSd/AkYv5nOQlviIz6d
kw2Tqi3NjA/jbPQaeLRIg8WHyuNX2SuyaztJVPQHLBYB0jwUVC8wBtC0QtpeStgo
JWqCruQdyCLAPmm6051zik7nr/uOmjrVIFKr5/zURq43RXlEw/emfurS4cc4nC3t
v1AZ7KZPfk3cC3WEQ8IRoSsCxHZ3ykypPOmfS/LrWhuuezMkwKDFUyTlpXc1o1EV
WYQ09LWfhMbt1NniazVTa9snCHyWUrVdfSJB62xv89seFXhDhKuPfJiXJl+g9sfc
+IEM8S4tAff3tPtcZiC2HP+fbJ4qEWcY0p7eUajsCJFXkcTkFwJW7XX2TQtbfOHH
c5YMd16R0IvgEq99tkoWQoLMWvT5VVLJijndWDISIPBnhq16wwtr9LDus4+f8qFt
z5SRNXIRAtZdPidq5GfZGVdsx7inT+00+UCW67r8Ao9V/eC81aEDRD906JfW8V7p
jbxSh2wI/z+dZEf57OigkvGanNNkJA6LrnBnMxgsguYt+3a+kKjXWfmWy+RXTY/F
SZzcEqsdnJAPEUeBAfVR
=kHwy
-END PGP SIGNATURE-

Re: Wheezy update of irssi?

2016-11-25 Thread Rhonda D'Vine 
Hi,

* Raphael Hertzog  [2016-11-25 12:04:40 CET]:
> On Sat, 24 Sep 2016, Chris Lamb wrote:
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of irssi:
> > https://security-tracker.debian.org/tracker/CVE-2016-7553
> 
> After futher review, I opted to tag this no-dsa meaning that we will
> not handle the issue by ourselves. This information leak is only
> problematic when you run irssi on a multi-user machine and
> when you use /upgrade.

 That's correct.

> This is not a very frequent use case. That said you are still
> welcome to provide an update in wheezy if you wish so.

 Interestingly enough, I tried to push it last night but fumbled with
having forgotten to include the .orig.tar.gz into it.  I will try so
again the coming night.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Re: what to do with LTS-backports?

2016-05-19 Thread Rhonda D'Vine 
Hi,

* Holger Levsen  [2016-05-19 13:45:56 CEST]:
> appearantly some maintainers don't want to support backports in
> wheezy-backports anymore, saying wheezy is oldstable now (und
> unsupported by Debian proper, "just" maintained by the Debian LTS team.)

 That's fine with me, I'm willing to pick up that work personally - as
long as the package in wheezy-backports is current with jessie.  What
I'm unwilling to pick up is packages that aren't up to date with what we
ship in jessie since a year now, having to update them where the
original backporter abandoned the package and doesn't seem to be
interested anymore in maintaining it:

 Looking at the stats, we have 327 out of 1040 [1] backported source
package which have a newer upstream version in jessie than what we have
in wheezy-backports, and an additional 175 packages [2] which have an
updated Debian revision only.  That's kinda *huge*, frankly spoken.

[1] 
[2] 

 I'm not so sure how to move on from that point, frankly spoken.
Removals are never something that sounds nice.

 But: I really don't see this as an LTS issue somehow.  wheezy-backports
are done from stable, and the changed source through patches there
should work/compile in wheezy-backports just the same.  *If* they are in
sync already with the version in jessie.  And like said, I am willing to
do that part.

 There is one area though I have troubles with, and that is
wheezy-backports-sloppy: Those packages come from stretch.  And the
further the releases divert there the more difficult it becomes to
maintain those packages.  This area really means a fair amount of
headache and a burden, and at least from that point of view I'm a bit
worried that the LTS related extending of the lifetime is too much to
carry for most.  If it weren't solely for wheezy-backports, I'd vote for
"yes, keep it during LTS time still".  If it were for
wheezy-backports-sloppy I'd rather in the "please rather not" team.
Personally speaking that is, not with my backports maintainer hat on.

> OTOH, having unsupported backports with known security vulnerabilities
> is bad. So an option would be to _close_ wheezy-backports _now_, also to
> communicate this issue to the users.

 I really would love to have the security tracker supporting the
backports overview again for that ...
https://security-tracker.debian.org/tracker/status/release/stable-backports
is empty - and I highly doubt that that's correct.

https://security-tracker.debian.org/tracker/status/release/oldstable-backports
has things listed (the only backports overview page that has anything,
at all ...), but the issue-pages don't list backports neither, like
https://security-tracker.debian.org/tracker/CVE-2015-7869

> Removing individual backports from wheezy-bpo is both error prone and
> manual busy work on the shoulders of the bpo admins, who wouldn't want
> to do this job.

 Sure, but we already need to do that every now and then when we find
out (by digging up or getting prodded about it) that packages are
unmaintained in a rather long time ...  What we would like is have
backporters be more active in communicating on reasons if there are
troubles with updating the backports and why they don't do it, rather
than having us have to first find out and second prod them for a
statement then ...

> (There is also the problem that some maintainers don't support their
> backports during the life time of stable, but that's a different problem
> IMO. Now we have the problem that backports need to be supported for up
> to 5 years instead of 3 too… this mail is about this 5y problem.)

 Sure, but the 5y problem isn't that big (for regular backports, only
for -sloppy) and if it weren't just that I'd be willing to carry that on
my own, too.  It's not as huge (besides -sloppy) as you seem to imply.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|