[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Maintaining intermediary versions in *-backports

[ The topic here is maintaining a version X in $foo-backports when $foo+1
contains a version higher than X, eg in my case keep maintaing Django
1.8.x in jessie-backports while stretch has 1.10.x ]

Hello,

let's start a proper discussion based on facts. The other thread
has gotten needlessly personal. I want to start with what I said
in https://lists.debian.org/debian-backports/2017/05/msg00106.html

The reason for the reject of my upload was "please take the version from
testing, not a version that never was in the archive". But the rules
(https://backports.debian.org/Contribute/) say this:
> To guarantee an upgrade path from stable+backports to the next stable,
> the package should be in testing.

Note the "should", it's not a "must". And my upload perfectly met the
criteria for that suggestion: my backported package upgrades fine to
the next stable.

The policy goes further by defining exceptions:
> Of course there are some exceptions: Security updates.

I initially uploaded a version that was in testing and all the subsequent
uploads I made were security updates (in the form of upstream point
releases).

Honestly, I really think that I'm fully in the spirit of the backport
policy and that this rejection is unwarranted.

Dear backport maintainers, what are your replies to this?

I understand what you expect from me (always backport the latest package from
testing, possibly unstable for security updates that will shortly migrate
to testing anyway). But this is stricter than what you have written down,
and I don't see any benefits on enforcing your stricter version.

There are obviously rules to follow for the benefit of our users, and
having to keep the package secure is one of them. But I don't see why
you would enforce this only through the backport of the latest testing
version when you have a maintainer that is willing to do the security
work by tracking upstream point release of the initial version that
entered stable-backports (regularly, aka as a true testing backport).

I care deeply about this and would like a sane discussion, please. If
the topic comes every so often as you seem to point, maybe there's an
important use case that we should try to cover... and as long as we
don't have working PPA, it's quite natural for maintainers to want to
use stable-backports in that way.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: