[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Version numbering for security uploads of native packages

On Sun, Mar 16, 2008 at 03:47:56AM -0700, Steve Langasek wrote:
> The current binNMU numbering scheme was selected explicitly to allow
> security uploads to sort later by numbering as
> <last_version>+<release><serial>; e.g., 1.2-5.1+etch1.

This could also lead to a problem in very rare cases: If a program has
the same version in stable and testing, and gets a security update, then
they both get a similar version.  For the example, say 1.2-5.1+sarge1 in
stable and 1.2-5.1+etch1 in testing.  Now the version in testing is
lower than that in stable, because "etch" << "sarge" (which is why I
didn't use current names, since "lenny" is, by chance, >> "etch").  If
this happens close to a release, and there is no new unstable
(non-security-versioned) upload migrating to testing, this means users
will end up with the oldstable version of the package (which may contain
dependencies on wrong library versions, for example).

This may never be a problem in reality, but it is a real bug in the
numbering scheme, AFAICS.


I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://pcbcn10.phys.rug.nl/e-mail.html

Attachment: signature.asc
Description: Digital signature

Reply to: