[peppermint_gum]

This is the official Debian repository. The package versions are frozen in each major Debian release. However, they may backport security and bug fixes.

In practice, in the case of less popular packages, they do this on demand, when someone requests it in the bug tracker.

[francislavoie]

Well, users should know that if they report issues while using releases from that source, we can't reasonably help them, and that they should use an official release to get bug and security fixes promptly.

I want to emphasize that we have no contact at all with the people maintaining that Debian package, they've never reached out to discuss anything. We're absolutely open to that (and they know where to find us, not hard to contact us either on GitHub, Twitter, our forums, here, etc).

[5e92cb50239222b]

It's exactly the same way tens of thousands of other packages have been shipped for decades, including many other web servers like nginx, httpd, lighttpd. No need to paint so much drama over this.

They will contact you if the need arises. It's the same usual process that has been used since the 90s to great success.

[francislavoie]

Users will reach out to us first, not to debian, because we're easier to reach for help (via social or our forums). If they tell us they're using an outdated version which doesn't have the fix for what they need, I have no other choice but to tell them to stop using the debian-maintained package, and use our officially maintained package.

[e12e]

> Users will reach out to us first, not to debian, because we're easier to reach for help

Maybe. That is indeed a risk with third party distribution.

But do note that Debian has its own support channels, and infrastructure (like the "reporting" tool: https://packages.debian.org/stable/utils/reportbug ).

[account42]

Oh please, you do have plenty of other choices.

It's ok to not want to support older versions or downstream packages (even if imo there is value in doing so) but don't be a drama queen and claim you can't.

[francislavoie]

Choices such as? How else would we get the user to run an updated release with the fixes they require?

[Nextgrid]

Has anyone actually done any research on how good the backporting of security fixes is in frozen distros?

Maybe it's pretty good for very popular packages, but how about the more niche ones (and when it comes to Debian I'm not sure how popular Caddy is in their view)?

[bravetraveler]

Anecdotally, my experience has been okay... but not great -- you can end up with something Frankenstein would create

The versions often feel arbitrary and don't line up. For example... I've been watching this for years:

https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/183...

This is more on the edge case side of things, too. Not really security patch related -- but a consequence of picking/choosing component levels

With this the firewall can randomly just stop being effective

When things aren't exactly upstream, the knives you're juggling get a little bigger and more unbalanced.

[e12e]

Mostly ok, sometimes terrible:

https://wiki.debian.org/SSLkeys#Technical_Summary