On Wed, Jul 04, 2018 at 11:22:29AM +0100, Tixy wrote: > > It's not quite 'fully supported'. The extra support (after the standard > approx 3 years) is only for a subset of architectures and packages [1]. > Also, hat support isn't done by the Debian security team, which in my > experience means that security updates can come day's or weeks after > the Stable release gets them. (That isn't intended to be a criticism of > the people working on LTS, just an observation so people considering > relying on LTS know they may need to be a bit more proactive when > security issues emerge.) > I have also seen the opposite happen plenty of times: the LTS package gets an update before the stable package.
That sort of thing has to do with the different workloads for each of the teams. As you point out, the Security team has responsibility over more packages than the LTS team. There are also plenty of instances where the fix that applies to the package in one suite also applies to the package in the other. It might make sense to wait for the stable fix to be completed and then applied to the LTS package. That results in less duplicate work. Additionally, I have seen (actually prepared myself) a package where the LTS patch was done before the security team even began to look at the package in stable. As a result, I applied the patches to the package in stable and since they applied cleanly, I submitted it to the security team. The stable updated came several days after the LTS update of the package because, as I am not a member of the regular Security team, one of the team members had to review the changes. Other members of the LTS team have done the same thing on various packages at some point or another. I simply want to point this out to prevent the impression that LTS constantly lags behind stable. Regards, -Roberto -- Roberto C. Sánchez
