Debian discusses vendoring—again

Posted Jan 15, 2021 14:49 UTC (Fri) by LibreTan (guest, #144205)
In reply to: Debian discusses vendoring—again by gnu_lorien
Parent article: Debian discusses vendoring—again

I feel that one of the possible solutions to this might be as follows:

Debian can only provide LTS for those Packages which provides LTS as upstream.

Example:
Firefox provides ESR so include it in Debian Stable release.

For all other software which does not provide LTS upstream it should work as OSTree layering only or work through Flatpak only.

If upstream is not providing LTS for their software then how can Debian?

Debian discusses vendoring—again

Posted Jan 16, 2021 3:44 UTC (Sat) by foom (subscriber, #14868) [Link]

I bet the vast majority of software already in Debian does not provide any LTS support, whatsoever.

Now, there won't be CVEs for most issues that were fixed only in main devhead in most software, because nobody is really looking closely enough.

But in the rare case that there is such a CVE, generally Debian would just have to backport the patch.

Debian discusses vendoring—again

Posted Feb 9, 2021 6:22 UTC (Tue) by plugwash (subscriber, #29694) [Link]

The problems I see are.

1. Many upstream's idea of "LTS" is far shorter than Debian's idea of regular support.
2. While some projects may be on top of security issues in their dependencies I would wager the majority are not.

For Firefox they have resorted to moving to new upstream "LTS" release series within stable releases of the distro, that it just about tolerable for an end-user app like Firefox but it's really not reasonble for things that are key infrastructure components (and even for firefox it's problematic because firefox updates force rustc updates...........)