Re: Dreamhost dumps Debian

On Tue, Aug 20, 2013 at 06:35:08PM +0200, Pau Garcia i Quiles wrote:
> On Tue, Aug 20, 2013 at 6:25 PM, Ian Jackson <
> ijackson@chiark.greenend.org.uk> wrote:

> > > The bigger problem for a Debian LTS is this: 1. who is going to do
> > > > security support for it ?

> > > The same people that maintain the packages in sid and stable: the
> > > maintainer(s) for each package. [...]

> > That is not the case.  At the moment most of this is done by the
> > Debian security team.  Of course some package maintainers do help.

> IMHO that should be turned around: package maintainers should be the ones
> responsible for updates and the Security Team should help with that (e. g.
> by providing tips and/or reviewing the fixes)

That's not the understanding that was in place when I joined Debian.
Certainly there seems to be a move by the security team to push more and
more responsibility onto the package maintainers lately; I understand the
motivation (like everyone else they have more to do than they have time to
do it in), but I think the outcome, whereby the security team denies use of
the security update channel for non-"critical" security bugs and redirects
maintainers to stable-updates instead, is unfortunate.  As far as I'm
concerned, a security fix that isn't worth being pushed to
security.debian.org is also not worth me spending time on as a maintainer to
push to stable-updates.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org