On Fri, Sep 15, 2000 at 05:05:11PM -0700, Seth Cohn wrote: > > No, the best way would be to contact the _maintainer_ of the package in > question. Ultimately, that person(s) is responsible for the software on > behalf of Debian. > Debian has an excellent system to not only find out WHO maintains the code, > but how to contact them. Either by bugreport programs, website info, or > just dpkg- s <package>, you will get the info you need to contact the right > person. > In an ideal world we would have the time to turn over every stone before we ever said a thing. I don't think any of us can claim innocence here. > >Basically, you are forking development. There is now a version to be > >found in all the standard places where you get the tar-balls, and > >another version to be found in Debian. But they both have the same > >version number. This is misleading information. > > No, they are NOT forking. Consider: the only way to get the Debian version > is from a Debian site. Debian packages are set up as orig.tar.gz and a > Debian Patch. > This prevent the exact problem you are talking about. > This is a good start. Really it is. I still think you're duplicating effort, but it is a very good thing that you're making very clear what you've changed by shipping along diffs. Part of my job, however, is making Linux more accessible to newcomers. To me, it's not that far-fetched to suppose that somewhere down the road someone will look around, see Debian, see the old version numbers, see the issues associated with those versions, and ask the same question. So I'd definitely encourage you to tell people up front that you backport selected improvements, seeking to produce the most stable packages possible. The obvious question I'm failing to answer is where and how you should tell people. Perhaps you should insert this in a statement of your development philosophy. Debian is, in part, a distribution for, and I don't mean this negatively, idealists. So, as idealists, in the positive sense of the word, you can make a statement that you support free software; this is why you separate free from non-free. And you can state your method of development in your quest for stability. If it's well written and succinct, I can hope that people will actually read it. > >First, you are forking development. You are applying code from future > >modifications to old software. This poses a significant risk of > >introducing bugs which will not be reproducible anywhere except in a > >Debian environment. This cuts off the non-Debian part of the open > >source community in cooperating to resolve problems. > > No, this allows Debian to ship 'known stable' but still 'security-hole' > with a minimum of problems. Given the choice between a patched hole of > version 1.2stable and 'secured' 2.0beta, the choice is clear. beta yes. But if I recall the examples correctly, you were three or four versions out of date. Other distributions ship out of date versions too, but my impression is that most of them aren't quite as far out of date. My reading of this is that you're hanging on to old code too long, spending too much time fixing bugs that have already been fixed, and that this is, perhaps, part of the reason you are taking so long to release a distribution. My perception (please do correct me if I'm wrong) is that you have more developers than any other distribution. I also perceive that you're shipping at least three times as many packages as anybody else. I don't think these are trivial advantages; you've got a lot going for you here, where no one else comes close. But my perception of Slink was that it was so old, it was broken. I remember all too well, a bunch of people in my office, installing Debian, running to me because I had a floppy disk with a working dhcpcd. I think you desperately need to shorten the time between releases and I think you have the resources to do it. > Keep in > mind, 99% of the time, the current up-to-date version is in unstable, and > can and will be used by those who want it (they can recompile it for stable > if needed). > Rephrase that to "most up-to-date" version, and we agree. > As for non-reproducible anywhere but Debian, this is why Debian has a > bug-tracking system. And a maintainer who will track and fix those > problems, since they are the patcher in most cases. > Ah, the duplication of effort I already spoke of... > >Second, you are duplicating effort. Even if your backports of bug > >fixes can be cleanly applied to the old code, you still must test > >them. In some cases, it will not be possible to apply these backports > >cleanly. This will require development which has already been done in > >the main fork. > > See above. Development of new things might be worse than a bug-fix. > What if 2.0 breaks things that 1.2 had working? (ie XF864.0 vs 3.3.6) > XFree86 4.0 was admittedly a problem. The XFree86 team said so when they released it and specifically advised people seeking stability to stick with 3.3.6. They didn't bury this information either. It was right there on their home page. I see this as an exception that proves the rule. > Someone took responsiblity to patch things. It's not just 'hey, here's a > patch'. > It's "The maintainer felt that this patch was critical to the software, > even tothe point of a backport." > This is a statement that sounds good. But it overlooks the difficulty involved when patches cannot be applied cleanly, or worse, when you find out the hard way that some patches couldn't be applied cleanly. I think you're duplicating a tremendous amount of effort. > > Backporting specific fixes to earlier releases is not only not "a > > > horrible way to do things", but is absolutely de rigueur in the > > > industry. > > > >You overstate this. Some very valuable improvements are indeed often > >backported. Far more often, the answer to software problems is, > >instead, get the latest version. > > USB 2.2 backport versus 2.4 USB in kernel > You've chosen an interesting example. I heard there were a lot of problems with it in the 2.2 kernels, largely because the backport was taken before the code was really ready in its intended version. I am remembering David Hinds, of PCMCIA fame, who advised me that he very often advises people who encounter difficulty to get the latest version of the pcmcia-cs package. He didn't explain this, but I can see what he's talking about. You see the same thing on the Linux kernel list. Sometimes bugs go away, seemingly, on their own. It can happen when somebody looks at some ugly code and decides to clean it up. He decides what this ugly mess is supposed to do and writes clean code to do it. As long as he understands correctly what the mess is supposed to do, there is a very good chance that the clean code will be more efficient and more robust. In these cases, older versions are not more stable; they contain more ugly hacks. > > > You can't afford to put the entire set of potentially very > > > destabilizing changes into a current or almost-current product! > > > >How can you be so confident that your backporting/forked development > >model introduces significantly fewer destabilizing changes? Have you > >any statistics to validate this? > > Yes, it's called the Debian bugreport and Debian's history of security. > Securityportal.com published a comparison of distributions at http://www.securityportal.com/cover/coverstory20000724.html I see this is also by Kurt Seifried. He didn't really include Debian in the comparison; even if he had, you would presumably accuse him of bias. I'm left searching for an impartial comparison. > >And I believe you are, somewhat, begging the question. How many > >people running the 2.0 kernel chose it for new installations? Are > >they simply running the 2.0 kernel because they choose not to fix what > >isn't broken or, given a new system to set up, are they choosing a 2.0 > >kernel for its vaunted stability? > > Yes. and it's size, and it's known issues (or lack thereof) > We'll have to agree to disagree here, unless you have a poll of 2.0 users to back this up. I don't know anyone who chooses to install a 2.0 kernel, unless they were installing Slink; then they were installing Slink-and-a-Half as soon as it could be found. The footprint would certainly be a legitimate issue, if we find a lot of people choosing 2.0 for that reason. But my sample is skewed. I live and work in San Francisco. Most of the people I know (and all of the ones who would install Debian) can easily afford systems where the size of the kernel is not a particular concern. I can see where your mileage might vary. > > Hope this clears up your questions. > I think we can say this narrows our disagreements. But then I'm known for my stubbornness! -- David Benfell benfell@greybeard95a.com ICQ 59438240 [e-mail first for access] --- There are no physicists in the hottest parts of hell, because the existence of a "hottest part" implies a temperature difference, and any marginally competent physicist would immediately use this to run a heat engine and make some other part of hell comfortably cool. This is obviously impossible. -- Richard Davisson [from fortune]
Attachment:
pgpfqZDWGOpmZ.pgp
Description: PGP signature