It is surprising to me how popular the backport policy has become, because the serious dangers ought to be obvious (and hopefully Jonathan's article will help work them into the community's consciousness). This is far from the first time this has happened; just look at this LWN vulnerability report for another instance and some discussion.
I tried to raise this with the Debian security team, but made no headway. I think they have misjudged the security/stability trade-off: the security issue is much worse than they allow, and the stability issue is manageable. Most projects are quite good about not breaking things in their stable branches; and even if they occasionally break things, we should respond by 1) working with upstream to create more stable "stable" branches and 2) improving our testing processes, not by reverting to minimal (and inevitably incomplete) security fixes.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds