From: Thijs K. <ki...@sq...> - 2007-03-03 21:30:40
|
On Thu, 2007-03-01 at 23:39 -0500, Chris Hilts wrote: > If you want to volunteer to back-port security patches into old > releases, nobody's going to stop you. The question of time is the most important one here. But I think we're doing pretty OK by providing the diffs for the security issues we release. I believe that those diffs generally apply to stable at least a year back, if not often to the start of the 1.4.x series. For me that seems like an acceptable balance. Generating and providing loose patches is not too much work for us, and I think it works for users not willing to upgrade yet aswell. We also answer questions about it if they pop up. If this is not sufficient security support, I'd like to hear what exactly could improve our support. What is the value of releasing 1.4.8a with the same security patch? Then users can just apply the patch themselves. > If you want this, you should consider using a packaged version of > Squirrelmail, such as the one Debian provides. It's difficult enough to > get developers to nail down security patches in two source trees (stable > AND devel), let alone stable, devel, and obsolete versions as well. Guess who is backporting the patches to those Debian packages ;) Thijs |