Re: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
"Kevin B. McCarty" <firstname.lastname@example.org> wrote:
> If you see packages for which a Debian-specific patch seems unnecessary,
> please by all means file a bug (severity wishlist) requesting that the
> patch be either reverted or submitted upstream.
Most time the patch is already submitted upstream, but not yet applied
or released. If you look into the Debian changelogs you find a lot of
"drop XXX patch, applied upstream". This is done to bring the fix
faster to the user. The question is, is this worth it? Maybe it is,
but only for certain patches? Is there a policy?
> Speaking only for myself, let me comment on some "extensive patching".
> I guess that some of my physics-related packages (cernlib, paw) are
> among the more heavily patched in Debian. Unfortunately upstream is
> dead, so there is *no way* to see the patches incorporated there.
As other have already pointed out: In this case, it should be
considered a fork.
> And even before they gave up the ghost, they were very conservative,
> refusing to consider most patches more complicated than trivial changes
> to fix complete breakage.
Open source development does work well only if splitting up the
development in different branches or even forks is strongly
avoided and done only if it is strictly necessary. IMHO the
Debian way of doing things makes it far too easy for package
maintainers to diverge from the upstream source. I can't really
comment on the examples you have provided, but in general, I feel
that Debian has not found the right balance here.