[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Use volatile?

> On Sun, Jul 31, 2005 at 11:10:04PM +0400, Nikita V. Youshchenko wrote:
>> As it is being currently discussed on debian-security [1], security
>> team has hard times supporting mozilla family of packages, because of
>> unfriendly upstream policy - they don't want to isolate security fixes
>> from a large changesets of new upstream releases. And given the huge
>> size of the package, isolating security patches at Debian level also
>> fails.
> [..]
>> Maybe in rare cases like this one, when these seems to be no other way
>> to keep important package set secure, we should allow new upstream
>> into Debain Stable?
> What happens if they require new versions of libraries which already
> exist in stable?

It depends on the nature of the dependency.
If recompilation against version in debian stable is possible, no problem.
This will be the case in most situations I believe.

If some new library feature will be needed - it's more interesting.
Probably should be examined on case-by-case basis.

> I think you need a couple of ways out and to decide between them
> possibly just leaving well alone and making users aware of the issue
> (perhaps pointing them at volatile?) if library upgrades are needed as
> well as the case where new self-contained upstreams could be allowed in.
> Is volatile not a better general place for such packages though really?
> Maybe we just need more emphasis on volatile to our users.  (i.e. get
> the installer to prompt about it etc).

I don't have anything agaist using volatile for this.

The only thing that is IMHO a must - it should still be possible to
install/upgrade/uninstall packages with normal debian package management

Reply to: