Backports with API breaks
If a package has changed API since stable (in a non-backward-compatible
way and without changing binary package name), and/or is likely to do so
before next stable, is that a reason not to backport it?
e.g. pandas has an open backport request [0], but broke 6 of 43 reverse
dependencies when tested before upload to unstable [1]. The ones I know
about can use Breaks:, but there may be more that I don't know about
because they don't have (enough) tests.
Since backports are supposed to be kept up to date, a future release of
the package may add more Breaks. This could potentially be a security
risk if a user installs the backport, it stops updating when a later
version adds a Breaks: on something they have installed, and they hence
don't get a later security fix. However, the absence of a backport is
likely to cause users to obtain the package by non-Debian means (e.g.
pip or conda) that default to no automatic updates.
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826095
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931557
Reply to: