> I am not a Debian developer, and I agree that sending fixes upstream > is good. But surely you're aware that the whole point of "Debian > stable" is that it does ***not*** change to newer versions of programs > after release, apart from security fixes? Debian is well known for > taking the word "stable" seriously (e.g. [1]) and it's a reason people > choose them. >
Are they also backporting security fixes for all extensions as well? If not, then they are doing a serious disservice to their users. Some extensions have had some *really* serious vulnerabilities. We generally mark these as such when we find them, but the warnings go away when the vulnerabilities are fixed. Unfortunately for those using old versions of MediaWiki, they may never know the extension was vulnerable for the version they are downloading. Maybe we should be more vigilant about how we mark things, but it is difficult to manage this for all extensions, especially since they aren't all code reviewed. If Debian doesn't feel they should keep supported versions in their repos, maybe they shouldn't distribute MediaWiki. Respectfully, Ryan Lane _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
