On Tue, Mar 23, 2021 at 02:34:52PM +0100, Léo Le Bouter wrote:
> In general my opinion is that backporting fixes is time-consuming and
> that if we have to do it each time I wont be able to keep up with the
> load. I'd rather update things to a version that already includes fixes
> and is supported by upstream even at the cost of world rebuilds. I
> can't deal with upstreams who either do not backport fixes, or don't
> integrate fixes at all.

I agree, backporting is more time-consuming (and energy-consuming) than
upgrading.

But, you don't have to keep up with the load.

We can only do our best, and it's important for each of us to find a
level of commitment that we are able to sustain.

When we compare Guix to other volunteer distros, there have been times
when Guix did more security updates than any other distro, and times
when we were average, and then times when we were below average. At no
time did I perceive that it made a difference to how many people use
Guix.

Ultimately, I think the winning strategy is to work in a way that makes
it easy for other people to help. For example, by filing bug reports
about security updates being available, so that others can write the
patches. The idea is that, over time, we will build a team of people
writing security update patches.