Stable channel update policy for programs with update checkers

As far as I understood, only security-relevant fixes are supposed to be backported to a stable channel during its life-cycle.
But some packages don’t really declare whether an update is security-relevant and, even worse, include their own update checks. These are for example zeal or zotero.

How do we want to deal with these packages?

  • patch out the update checks and don’t update
  • don’t patch out the update checks and update them once the checker is triggered
  • patch out the update check but also update the package in the stable channel

Disable the update checks (if possible), update on master and backport them if it falls into a category described: [RFC 0029] Backports team by samueldr · Pull Request #29 · NixOS/rfcs · GitHub

Some applications that depend on external services might always need a backport to function correctly i.e. dropbox.