extensive patching

To: little.miry@gmail.com
Cc: debian-devel@lists.debian.org
Subject: extensive patching
From: Martin Uecker <muecker@gwdg.de>
Date: Fri, 16 May 2008 17:41:57 +0200
Message-id: <[🔎] 1210952517.27033.28.camel@localhost>
In-reply-to: <[🔎] 4671dd0c0805160641q588b37e5q83514a9c09abcfc8@mail.gmail.com>

little.miry@gmail.com wrote:

> I disagree. The cause of the disaster was not that Debian does its own
> patching, but the fact that that patch was buggy.

Buggy patches happen all the time. The question is, how could 
something as bad as this slip through? And one important
reason is IMHO, that splitting up the development/bug fixing/review
by creating different software branches is bad.

> On the whole I think that Debian benefits a lot from custom patches,
> and in fact many packages would be severely buggy and/or wouldn't
> integrate properly with the rest of the system without them.
> It's not a secret that many projects benefit from Debian patches, 
> so there might be something good with them. 

Clearly, Debian adds value by its patches. If those patches would be
integrated upstream, then the whole free software community would 
benefit. 

> Also, I don't think we should always wait for upstream's new releases 
> for adding them if we have them available. It might depend on every case.

I would prefer if only security fixes and bugs which might cause
data loss would fixed directly in Debian. Everything else should
go upstream first. 

> Maybe there's a problem with the fact that some of those patches are
> just reviewed by just one person, but then again, I seriously think
> that it would have been quite difficult to discover that there was a
> problem with this one. The proof that it wasn't evident is not only
> that upstream didn't see the problem either, nor any other developer
> or derivative distribution or independent reviewers in 2 years.

Did you look at the code? This was not exactly a deeply hidden flaw
in some obscure looking code. Upstream didn't see the patch. That's 
exactly the problem. And I doubt that there was any review of this code
in all this 2 years.

> I think that defending the position of using pristine upstream source
> code are just a conservative position to guarantee that we can blame
> upstream or someone else if something like this happens again, not
> that bugs won't happen.
> Only those who don't do anything don't make mistakes. The point is to 
> try to avoid mistakes, not to be able to blame upstream. 

I do not think this is true. The criticism comes partly from the outside
(for example from me), so this is clearly not motivated in the way you 
suggest. And I do not blame the developer for his mistake. I blame the 
processes.

> Of course, the development and checking of the patches should be done 
> as cooperatively with upstream as possible, as upstream might see 
> something we're not seeing, but the way to the solution, in
> my opinion, is not to avoid patching but to develop a way to check
> them as extensively as possible.

Checking something extensively is much easier if there
is one canonical branch which everybody agrees on.

Regards,
Martin

Reply to:

Follow-Ups:
- Re: extensive patching
  - From: Barry deFreese <bddebian@comcast.net>

References:
- Re: changing subjects when discussion becomes slightly off-topic - Was: Re: ssl security desaster (was: Re: SSH keys: DSA vs RSA)
  - From: "Miriam Ruiz" <little.miry@gmail.com>

Prev by Date: Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
Next by Date: Re: SSH keys: DSA vs RSA (was: Alioth and SSH: restored)
Previous by thread: Debian patches
Next by thread: Re: extensive patching
Index(es):
- Date
- Thread