Martin Uecker wrote:
Different software branches in what respect? Just by nature of having a distro "package" ?little.miry@gmail.com wrote:I disagree. The cause of the disaster was not that Debian does its own patching, but the fact that that patch was buggy.Buggy patches happen all the time. The question is, how could something as bad as this slip through? And one importantreason is IMHO, that splitting up the development/bug fixing/review by creating different software branches is bad.
Which brings up at least two issues. Upstream not wanting the patches or dead upstream. Speaking from the games team alone I would bet that 50% or more of the packages have no upstream anymore. Should those packages be removed? Also, obviously, there are changes that make no sense to upstream that are strictly distro specific.> It's not a secret that many projects benefit from Debian patches,On the whole I think that Debian benefits a lot from custom patches, and in fact many packages would be severely buggy and/or wouldn't integrate properly with the rest of the system without them.so there might be something good with them.Clearly, Debian adds value by its patches. If those patches would beintegrated upstream, then the whole free software community would benefit.
Sounds good but again, what about unresponsive/dead upstreams. Do you leave your users to "suffer" ? Is Debian here to service the user community or not?Also, I don't think we should always wait for upstream's new releases for adding them if we have them available. It might depend on every case.I would prefer if only security fixes and bugs which might cause data loss would fixed directly in Debian. Everything else shouldgo upstream first.
I have seen links where "upstream" was asked about/notified of the patch so this isn't an entirely true statement. Egos play a big part in all of this as well.Maybe there's a problem with the fact that some of those patches are just reviewed by just one person, but then again, I seriously think that it would have been quite difficult to discover that there was a problem with this one. The proof that it wasn't evident is not only that upstream didn't see the problem either, nor any other developer or derivative distribution or independent reviewers in 2 years.Did you look at the code? This was not exactly a deeply hidden flawin some obscure looking code. Upstream didn't see the patch. That's exactly the problem. And I doubt that there was any review of this codein all this 2 years.
<snip>Of course, the development and checking of the patches should be done as cooperatively with upstream as possible, as upstream might see something we're not seeing, but the way to the solution, inmy opinion, is not to avoid patching but to develop a way to check them as extensively as possible.Checking something extensively is much easier if there is one canonical branch which everybody agrees on.
Sounds like Utopia but I can't see it happening.
Regards, Martin
Barry deFreese