On 2019-05-13 09:42:30 -0400 (-0400), Jean-Philippe Evrard wrote: [...]
I agree with Jesse, we should do as much upstream as we can, so that the whole community benefits from it. If things are updated on a best effort basis in u-c, more than a single project benefits from this. If things are not updated on a best effort basis, then source based deployment projects should discuss together on making this a reality. In all cases, this deserves documentation if it's not documented already (I totally missed that part of the documentation myself).
I don't see anything wrong with a best-effort attempt by folks who build or rely on source-based deployments from stable branches, my primary concerns remain: 1. This goal is tangential to (and even conflicting with) the purpose of the requirements repository's upper-constraints.txt file so should probably be managed independently of that. 2. As a project we should be clear that this is a not-at-all-timely post-hoc attempt at reflecting somewhat secure deployment sets and can't guarantee we will always be able to find a solution for (or perhaps even notice) many future vulnerabilities in the transitive dependency tree where stable branches of our software are concerned. -- Jeremy Stanley