On Wednesday, 28 October 2020 6:13:41 AM AEDT Moritz Mühlenhoff wrote:
> The bigger issue here (independent of the whole vendoring aspect) is
> how kubernetes can be supported in a stable release to begin with.
> This was raised by Shengjing Zhu in #959685 before.
If Kubernetes can be supported then such support will be done by upstream,
but with extraordinary amount of dependencies (and upstream reluctance to
manage them), I have very low confidence and low expectations for quality
of such support. The problem primarily is that Kubernetes vendors hundreds
of dependencies representing a large support surface. Effectively it is
"#include world" (or vendor world) situation. And when it comes to problems
in 3rd party vendored libraries, it iw worth remembering that Kubernetes
don't own them.
> This leaves Debian with two options:
> * Keep it out of a stable release and accept that it's good enough
> if people just install whatever deb they currently find in testing/sid
> (works out well enough for most given that blob nature of Go!)
IMHO this is the most reasonable option and perhaps the only viable one.
> * Follow a scheme similar to Firefox ESR where in case of a security
> the update either happens to the latest minor release of
> the current branch or if that has stopped, happens to the next
> major release.
I think Kubernetes have many more vendored 3rd party libraries than Firefox.
IMHO we can not expect the same level of confidence for Kubernetes...
--
Best wishes,
Dmitry Smirnov
GPG key : 4096R/52B6BBD953968D1B
---
You have to start with the truth. The truth is the only way that we can
get anywhere. Because any decision-making that is based upon lies or
ignorance can't lead to a good conclusion.
-- Julian Assange, 2010
Attachment:
signature.asc
Description: This is a digitally signed message part.