Catching up on this...
> > This leaves Debian with two options: > > * Keep it out of a stable release and accept that it's good enough > > if people just install whatever deb they currently find in testing/sid > > (works out well enough for most given that blob nature of Go!) > > IMHO this is the most reasonable option and perhaps the only viable one. Ultimately that's for the release team and/or CTTE to make a call on. And this while discussion also needs the input of Janos as the current kubernetes maintainer. > > * Follow a scheme similar to Firefox ESR where in case of a security > > the update either happens to the latest minor release of > > the current branch or if that has stopped, happens to the next > > major release. > > I think Kubernetes have many more vendored 3rd party libraries than Firefox. > IMHO we can not expect the same level of confidence for Kubernetes... But each of their releases constitutes a bundle of third party libraries they've vetted to work together, so this seems to work in practice? (as can be seen by the 1.19 upload from today). Or maybe I'm missing the specific concern of yours, is this about them missing fixes in their bundled libs? Cheers, Moritz