Re: About a mass bug report not based on Sid or Jessie.
On Tue, Apr 22, 2014 at 11:36:52AM -0700, Russ Allbery wrote:
> Santiago Vila <sanvila@unex.es> writes:
> > I would rather autoreconf at dpkg-buildpackage time in such a way that
> > you get an updated Debian source every time you make a new Debian
> > release for such package (something like
> > debian/patches/auroreconf.diff).
>
> The one thing that we absolutely should *not* do is ship the results of
> autoreconf as a diff. That diff is (a) completely unreadable, (b) huge,
> and (c) unstable across versions, which makes life incredibly painful for
> people like the security team and the release team.
Hmm. Please don't exaggerate.
(a) Diffs are not made to be readable, they are made to update
things. As those diffs are the result of an automatic processs, you
should only need to look at the updated file, not at the diff.
Moreover, if they are unreadable, so are the file being diffed itself.
Being readable should not be a concern here.
(b) I know this very well, as I once had to update libtool in recode
and the result was indeed frightening, but this is aesthetics and
functionality is more important. The build system is only a small part
of the package, so the diff can't be a lot bigger than the original
source.
(c) Security bugs are usually fixed in the actual source (.c, .h, etc)
and rarely in the build system (Makefiles, configure, etc). I don't
really think this is a good argument. For every package where
autoreconf would work, so would a static diff which is included in the
package itself, so there is not really such a big difference.
Reply to: