[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Version numbering for security uploads of native packages

[nutshell version for those who can't be bothered to read the full
mail :-) - what version number should a security upload of a native
package have]


devscripts 2.10.19 (soon to be uploaded) will modify the behaviour of
"debchange --nmu" to version an NMU of a native package as X+nmu1 rather
than the current X-0.1.

We're aware that the Developers Reference specifies that the latter
format should be used, but it is problematic as -0.1 sorts before +b1
and, as such, the NMU will not supersede any previous binNMUs of the
same package version.

Whilst looking at this change, the question arose of what format
security uploads of native packages should use, both in general and
specifically when debchange's --security option is used.

Currently, debchange will produce a version number of X-0.1 in such
cases which suffers from the problem described above. It has been
suggested that either one of +s1 / +sec1 / +security1 or <release>1
should be used to avoid the issue.

The main difficulty with the latter from the point-of-view of adding
support to debchange is that there's no easy way of mapping a changelog
distribution (e.g. "stable") to a release name, particularly as both
stable and oldstable updates may have "stable" as the last distribution
to which the package was uploaded.

After some discussion amongst the team on IRC we decided we'd be
happiest following either a request from the security team or a
consensus view (or as close to a consensus as -devel ever gets :-).



Reply to: