[Dropping -release and -volatile] Jan Wagner wrote:
> Hi Romain, > > On Wednesday 22 April 2009, Romain Beauxis wrote: >> However, I wonder if this would need yet another archive, or just an >> update of a policy, either in backports.org or volatile.. > > DUNNO for volatile, but the ftp-master of bpo, which is actually doing the > main work clarified, that don't like to be responsible for PHP based > packages, which is the most potential languages of the applications which > matches the criterias. > I think the situation is more or less (please pay attention to that, will clarify later) that maintainers don't feel like doing the necessary work to fix the issues as they are found. I'm in no way saying that they are lazy or irresponsible, web apps are by nature more exposed to security threads than most other kind of apps; at times upstreams are not helpful, at times upstream lacks the necessary knowledge, at times it is the maintainer, at times they are both, at times it is the scripting language as well. But any app that won't be properly supported should not be shipped in a stable release, and proposing yet another repository doesn't feel like the right solution. Instead, in the perfect situation, maintainers should learn more about the language of the application, the security implications, detecting and fixing security issues, etc. so that they take care of their packages. The goal is to work towards improving, not just giving up by creating another dump repo. And since there are cases where it is not feasible or even doable to work towards improving the security of the app because of upstream, those cases should be re-considered and probably better removed. Re-writting is not always a bad idea. (No need to reply with messages such as "who is going to re-write it?"; please remain focused on the topic.) Cheers, Raphael Geissert -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org