[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Backports into stable

Scripsit Leonardo Dias <leonardo@catho.com.br>

> I'd like to suggest a default debian backports section so that desktop
> users (such as me) can download backported packages into their distros.

This is one of those obviously good ideas that get less obvious when
examined in greater detail.

Packages that can be built on a clean 'stable' system from unchanged
'testing' source are easy, of course. (At least one can argue that it
is a bug in the source if they don't build cleanly on woody but don't
advertise it with versioned build-dependencies). The problem is where
one draws the line when you get beyond that. Some useful packages
(say, bogofilter) build-depend on things that do not exist in woody,
and which trigger a long cascade of non-woody dependencies.  At some
part in the cascade there's likely to be a *versioned* dependency or
conflict that cannot be satisfied in woody. Does one, then, upgrade or
backport these? Or stick to an earlier post-woody revision without the
conflict? This decision has to be made on a global basis, because a
single apt repository cannot really handle more than one version of
each package name.

The line I draw for my own mixed woody/sarge system at home is fairly
easy to implement on a case-by-case basis, but difficult do describe
in enough detail to automate it. Basically, I don't accept
non-official updates to libc, the compiler toolchain, and a set of
mission or security critical elements of the system. But what is that,
exactly? It depends on what the "mission" is and which security
parameters I want to work within.

What's worse, I also run a woody/sarge mix on my laptop, but it's a
*different* mix, slightly less paranoid, but still retaining the
basic woody infrastructure. I doubt that it would be possible to put
together a single backport repository that would fit my needs for both
of those boxes.

By extension, it would most certainly be impossible to build a single
repository which contained all the flavors of backports anybody would
want. So one would need an explicit policy about how to break ties
between, say, "bogofilter built against woody's libdb3" and
"bogofilter built against backported libdb4.X", both of which would be
useful in particular cases. You are, of course, welcome to propose
such an explicit, implementable policy. It might even turn out to
describe excatly what everybody wants. I wish you luck with developing
it; you'll need it.

Henning Makholm                                      "Punctuation, is? fun!"

Reply to: