On Wednesday, 28 October 2020 6:13:41 AM AEDT Moritz Mühlenhoff wrote: > The bigger issue here (independent of the whole vendoring aspect) is > how kubernetes can be supported in a stable release to begin with. > This was raised by Shengjing Zhu in #959685 before. If Kubernetes can be supported then such support will be done by upstream, but with extraordinary amount of dependencies (and upstream reluctance to manage them), I have very low confidence and low expectations for quality of such support. The problem primarily is that Kubernetes vendors hundreds of dependencies representing a large support surface. Effectively it is "#include world" (or vendor world) situation. And when it comes to problems in 3rd party vendored libraries, it iw worth remembering that Kubernetes don't own them. > This leaves Debian with two options: > * Keep it out of a stable release and accept that it's good enough > if people just install whatever deb they currently find in testing/sid > (works out well enough for most given that blob nature of Go!) IMHO this is the most reasonable option and perhaps the only viable one. > * Follow a scheme similar to Firefox ESR where in case of a security > the update either happens to the latest minor release of > the current branch or if that has stopped, happens to the next > major release. I think Kubernetes have many more vendored 3rd party libraries than Firefox. IMHO we can not expect the same level of confidence for Kubernetes... -- Best wishes, Dmitry Smirnov GPG key : 4096R/52B6BBD953968D1B --- You have to start with the truth. The truth is the only way that we can get anywhere. Because any decision-making that is based upon lies or ignorance can't lead to a good conclusion. -- Julian Assange, 2010
Description: This is a digitally signed message part.