* Michael Stone: > On Wed, Dec 22, 2004 at 03:03:29PM +0100, Florian Weimer wrote: >>My best guess is that things are fine until Debian is the last guy >>left in town, and no one else (upstream, other vendors) support the >>version in stable. Is this correct? > > Eh, and the other point I forgot to include is that other distributions > aren't shy about just releasing a new version rather than backporting if > the fix is non-trivial.
I think such a policy makes sense. Actually, I don't think we have much choice. 8-/ However, most of our packages haven't got test suites, and our dependency graph is certainly more convoluted than Red Hat's. For example, Red Hat probably has only a handful packages which depend on PHP. How do we make sure that the upgrade does not break any of the PHP-based packages we ship? My current idea is to borrow an idea from Microsoft: Create a Patch Validation Program. Under this program, you get access to security fixes before the official release, and you can test if your applications break. Of course, Microsoft requires NDAs because they actually give you binaries a week or so before the regular patch day. Debian wouldn't be able to do this, so patch validation could begin only after the issue has been disclosed. We could use a separate public archive, and after some soaking period, the new packages could be officially released on security.debian.org. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]