Re: join us!

To: Kurt Seifried <seifried@securityportal.com>
Cc: debian-user@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: join us!
From: Josip Rodin <joy@cibalia.gkvk.hr>
Date: Sun, 17 Sep 2000 16:15:38 +0200
Message-id: <[🔎] 20000917161538.B29255@cibalia.gkvk.hr>
In-reply-to: <[🔎] 5.0.0.25.0.20000915165212.0300ac10@mail.oregonmed.net>; from scohn@clipper.net on Fri, Sep 15, 2000 at 05:05:11PM -0700
References: <p57l8xqzpf.fsf@nortelnetworks.com> <011801c012ca$bbcad5a0$6900030a@seifried.org> <20000831132140.A15181@pluto.cruithne.org> <005d01c0134d$ede39b20$6900030a@seifried.org> <p57l8xqzpf.fsf@nortelnetworks.com> <20000915163406.B28892@greybeard95a.com> <[🔎] 5.0.0.25.0.20000915165212.0300ac10@mail.oregonmed.net>

Note: I don't read -user, just -devel, so I just saw this thread. I
apologize for duplication, if someone already said things I'm going to say
in my message.

Kurt Seifried wrote:
> >Basically, you are forking development.  There is now a version to be
> >found in all the standard places where you get the tar-balls, and
> >another version to be found in Debian.  But they both have the same
> >version number.  This is misleading information.

They have the same upstream version number (the part before the hyphen, `-')
but they do not have the same Debian revision (the part after the hyphen).
Besides, the tarball at the Debian sites/mirrors is still intact, it's just
the Debian patch (a gzipped unified diff) that changed.

> >First, you are forking development.  You are applying code from future
> >modifications to old software.  This poses a significant risk of
> >introducing bugs which will not be reproducible anywhere except in a
> >Debian environment.  This cuts off the non-Debian part of the open
> >source community in cooperating to resolve problems.

The risk of introducing a bug with a patch made by security-oriented people
is quite small because those patches are usually short, discussed on a
mailing list (or several of them), and tested before uploading.

Frankly, I can't remember seeing many Debian security releases of a package
breaking anything compared to previous (security-wise broken) release of the
package. The most common problem with security uploads that is not related
to security is packages being compiled with wrong dependencies on some
architecture. This happened some three or four times in the last few years,
and the packages were recompiled shortly after after people reported it.

> >Second, you are duplicating effort.  Even if your backports of bug
> >fixes can be cleanly applied to the old code, you still must test
> >them.  In some cases, it will not be possible to apply these backports
> >cleanly.  This will require development which has already been done in
> >the main fork.

What can I say - we feel the gain is worth the effort.

> >Third, the effort you invest in this detracts from the effort
> >desperately needed to improve and develop open source software.

Security fixes are an improvement and a result of development of the open
source software that was fixed. There are many users who like the fact
Debian cares about stability and security, rather than caring for getting
the very newest stuff packaged.

> >For these reasons, I find the claim that you are retaining stability
> >to be dubious.  Perhaps it really works sometimes.  I suspect,
> >however, that you have merely chosen another form of instability which
> >is perhaps more to your liking, but not necessarily to mine.

Observing the kind of bug reports users file against Debian packages over
the past year or so, I came to the conclusion that the packages in stable
get far, far less bug reports than those in unstable, and the statistic
improves with each new release. You may choose not to believe me because
I'm biased - feel free to take a look for yourself, it's all on
http://bugs.debian.org/.

-- 
Digital Electronic Being Intended for Assassination and Nullification

Reply to:

References:
- Re: join us!
  - From: Seth Cohn <scohn@clipper.net>

Prev by Date: Re: lwe in Frankfurt
Next by Date: avifile
Previous by thread: Re: join us!
Next by thread: test i386 potato boot-floppies available
Index(es):
- Date
- Thread