On Mon, Oct 02, 2006 at 12:46:10PM -0400, Mike Connor <[EMAIL PROTECTED]> wrote: > > >>To my knowledge, Debian isn't including "extra" security fixes over > >>and above what we're shipping. If they are, that would possibly be > >>considered an act of bad faith between downstream and upstream, > >>unless the security bug was Debian specific. This type of potential > >>"Firefox from foo is better than Firefox from bar" comparison is > >>something we have explicitly avoided. > > > >As pointed out many times, we've had to backport security fixes > >ourselves into 1.0.4 because security support has dropped for the 1.0 > >branch. So whether that's "extra" or not, I don't know. Even if we > >added a security patch that the original version didn't have I don't > >see how we could act in bad faith. Even if we somehow neglected to > >file a bug report on it, it's not like we could hide the fact that we > >had added the patch from you. > > Backporting security fixes from newer releases is not really "extra" > in my mind. It'd be fixing stuff that isn't fixed elsewhere without > discussing it with us. > > The argument for fixing upstream is that by taking a fix for a bug > that's unpatched upstream, you will call attention to that potential > exploit, and thus put non-Debian users at risk.
Are you suggesting we don't patch the branches you don't support any more ? Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]