Re: About a mass bug report not based on Sid or Jessie.
Santiago Vila <sanvila@unex.es> writes:
> On Tue, Apr 22, 2014 at 11:36:52AM -0700, Russ Allbery wrote:
>> The one thing that we absolutely should *not* do is ship the results of
>> autoreconf as a diff. That diff is (a) completely unreadable, (b)
>> huge, and (c) unstable across versions, which makes life incredibly
>> painful for people like the security team and the release team.
> Hmm. Please don't exaggerate.
I don't believe that I am exaggerating.
> (a) Diffs are not made to be readable, they are made to update
> things. As those diffs are the result of an automatic processs, you
> should only need to look at the updated file, not at the diff.
> Moreover, if they are unreadable, so are the file being diffed itself.
> Being readable should not be a concern here.
This is absolutely not true in Debian's processes. Both the release team
and the security team use diffs as first-class artifacts for doing code
review.
> (c) Security bugs are usually fixed in the actual source (.c, .h, etc)
> and rarely in the build system (Makefiles, configure, etc).
On several cases I have had to make changes to the build system as part of
security fixes. Even more frequently I've had to make changes to the
build system as part of changes that I want to get into testing during a
release freeze, and sometimes as stable updates. Particularly in the
latter two cases, changes to Autoconf or Automake result in large,
spurious diffs that complicate and frustrate review when those changes are
recorded as a diff.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: