Backports with API breaks

To: debian-backports@lists.debian.org
Subject: Backports with API breaks
From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
Date: Wed, 29 Apr 2020 15:04:03 +0100
Message-id: <[🔎] 82776cd0-7806-5cf8-522c-c4a052e18f47@zoho.com>

If a package has changed API since stable (in a non-backward-compatibleway and without changing binary package name), and/or is likely to do sobefore next stable, is that a reason not to backport it?

e.g. pandas has an open backport request [0], but broke 6 of 43 reversedependencies when tested before upload to unstable [1]. The ones I knowabout can use Breaks:, but there may be more that I don't know aboutbecause they don't have (enough) tests.

Since backports are supposed to be kept up to date, a future release ofthe package may add more Breaks. This could potentially be a securityrisk if a user installs the backport, it stops updating when a laterversion adds a Breaks: on something they have installed, and they hencedon't get a later security fix. However, the absence of a backport islikely to cause users to obtain the package by non-Debian means (e.g.pip or conda) that default to no automatic updates.


[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826095
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931557

Reply to:

Follow-Ups:
- Re: Backports with API breaks
  - From: Thorsten Glaser <t.glaser@tarent.de>
- Re: Backports with API breaks
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: node-yarnpkg: please update backport to fix CVE-2020-8131
Next by Date: Re: Backports with API breaks
Previous by thread: Re: node-yarnpkg: please update backport to fix CVE-2020-8131
Next by thread: Re: Backports with API breaks
Index(es):
- Date
- Thread