[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Version numbering for security uploads of native packages

On Sun, Mar 16, 2008 at 06:40:25PM +0000, Adam D. Barratt wrote:
> On Sun, 2008-03-16 at 11:22 -0700, Russ Allbery wrote:
> > "Adam D. Barratt" <adam@adam-barratt.org.uk> writes:
> > > On Sun, 2008-03-16 at 09:06 +0100, Bas Wijnen wrote:
> [...]
> > >> Good idea.  Even better, IMO, would be to use a system which is in
> > >> line with non-native packages.  How about this rule:
> > > [using X.1]
> > >> IMO this solution is slightly better than +nmu1, because it makes
> > >> versions of native and non-native packages more uniformly mangled.
> > >> However, any solution is better than no solution. :-)
> > >
> > > That does seem the most logical suggestion thus far.
> > 
> > I dislike this approach because it makes it impossible for tools like
> > Lintian to recognize NMUs of native packages and perform other
> > NMU-specific checks (such as making sure an appropriate changelog entry is
> > present).  There's no way of knowing whether a native package with a
> > version number of 1.2.1 is an NMU or not.
> Indeed. Luk already pointed out on irc that this is the (or at least a)
> reason .1 wasn't suggested by DevRef.

Ok, that makes sense.  However, with +nmu1, there still is the problem
of how to name security uploads.  With +s1, they sort after +nmu1, which
I think is wrong.

But we're talking about uploads to stable and testing anyway, so the
+etch1 and similar version extensions are used.  Do we want to solve the
bug that they can have incorrect order?  They should at least start with
+X, where X is >> 'b' and << 'n', if they want to sort correctly with
respect to binNMUs and source NMUs.

> > I like the +nmuN approach.
> devscripts 2.10.19 including +nmuN was uploaded earlier this evening.

Good.  That fixes all problems except the security versions[1].
Obviously a solution would be to add +debian<version>.<counter>, where
<version> should be anything that sorts correctly, such as the current
stable version with "testing" added if the upload is to testing.  This
does perhaps result in versions which are longer than anyone would want,
though (like 1.7.5+nmu3+debian3.1testing.1).

Turning "debian" into "deb" and "testing" into "+" would make it
better "1.7.5+nmu3+deb3.1+.1" is comparable in length to the current


[1] I'm working on a proposal to reformulate the devref section on NMUs.
    Since there seems to be consensus about using +nmuX, I'll include it
    in the proposal.  If you don't agree that there is consensus, please
    say so. :-)

I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://pcbcn10.phys.rug.nl/e-mail.html

Attachment: signature.asc
Description: Digital signature

Reply to: