[ Adding php maintainers, security team and release team to the loop. ] Hi,
Le 09/11/2014 17:45, Wolfgang Schweer a écrit : [ About a severe issue that recently popped up. ] > Seems to be that the update from php version 5.4.4 to 5.4.34 (new > upstream release) caused the problem. I can confirm being hit by this issue, and downgrading from 5.4.34 recently introduced by DSA 3064-1 to 5.4.4 still in stable allowed to workaround this problem (thanks by the way for the various investigations and workarounds provided in this bug reports). That makes me wonder, that even if we’ve been warned in the DSA that the new version “includes additional bug fixes, new features and possibly incompatible changes.”, simply “refer[ing] to the upstream changelog for more information” sounds a bit like closing eyes in the hope nothing will break. Maybe this upgrade will allow us to spot and fix a severe issue in gosa this time, but changing the way to handle (security) updates during the lifetime of a stable release may not be the best way to keep it stable. I do understand that safely backporting (security) patches may be hard sometime, but that’s part of what (used to) make the quality and robustness reputation of Debian, and it would be nice to only use such upgrade to new (minor) version as a last resort only. Potentially breaking user scripts on security updates is bad, but risking to break package distributed in stable sounds even worse. Regards David P.-S.: hopefully, the increase in DEP-8 adoption and structures like ci.d.n and jenkins.d.n will allow us to spot similar issues in stable sooner in a not too distant future.
signature.asc
Description: OpenPGP digital signature
