On Thu, Oct 27, 2011 at 7:28 AM, Ian Jackson wrote: > The difficulty is that if we end up with ten different versions of > some random javascript library, when it turns out to have a security > vulnerability we need to somehow backport the patch to each of those > ten versions. > > And here "we" means the security team, not the people who uploaded the > ten versions in the first place.
I would assume the security team would just file bugs and let the maintainer deal with it, unless the issue is embargoed? > So this is rather unpalatable. Agreed with that part. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6HPVjkcLdnKv9zLMcab=L3m63ogSp7OtiA-V=jvcpl...@mail.gmail.com