[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-django_1.8.18-1~bpo8+1_amd64.changes REJECTED

Hi,

I'm ignoring the personal attack and threats of ACL removal because that
does not bring the discussion further, but I want to highlight that you
could have avoided this, I have not said anything bad about your work, I'm
just discussing the policy.

On Wed, 24 May 2017, Rhonda D'Vine wrote:
>  Thing that Scott raised: LTS support for backports for such packaging
> approaches can under no circumstances be carried by the LTS team.  What
> could be possible for them is following when some update happens in
> $stable to add it to $oldstable-backports because the diff is expected
> to be minimal.  If we have versions in $oldstable-backports that have no
> connection whatsoever to the version we have in $stable then that can't
> simply be taken over by others.  The effort to maintain that further is
> immensly higher.

When upstream is still maintaining the branch that is currently in
$oldstable-backports, the effort is not immensively higher, no.

And furthermore since we have an upgrade path from $oldstable-backports
to $stable, we can always decide to stop maintaining the LTS branch
in $oldstable-backports and bump straight to a backport of $stable.

Right now, I'm maintaining 1.8.x in jessie-backports, we have 1.10.x in
stretch. If I disappear and nobody else is willing to maintain 1.8.x, you
can just backport 1.10.x from stretch into jessie-backports and you will
be fine.

>  I can see that you might be willing to carry that extra burden for your
> own sake, but it leaves the burden to be able to maintain it in cases
> you lose interest very high, if not very impractical.  This is the
> reason we speak very vocally against having that changed.

This is not true, cf above.

>  Also given that we have well over 25% of the packages that currently
> sit in jessie-backports not in sync with the upstream version from
> stretch is something that I consider highly alarming.  A fair amount of
> those packages got uploaded to be (build-)dependencies of other packages
> in backports.  I see a very low commitment to maintain packages properly
> in backports, and adding another layer of maintenance hell onto it won't
> fix that in any sense.

The fact that they are not in sync is not highly alarming as long as the
package is not affected by open CVE.

You take this as a sign of "low commitment". Now you have a committed
maintainer in front of you. You should be happy. Why are you not trying to
support his work instead of blindly refusing his security updates because
they do not come from testing?

Since I need Django 1.8.x in jessie-backports (for installation by DSA on
tracker.debian.org), I could have uploaded 1.8.5 and stopped there. But
I'm actually trying to follow the backport policy of keeping the package
secure. And you are punishing me for this.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: