Re: Adding version constraints in dependencies to avoid bugs

[Russ Allbery <rra@debian.org>]

Thomas Goirand <zigo@debian.org> writes:

> Someone is insisting that I should set the minimum version of
> python-openssl in my packages, just to avoid the bug of pyopenssl. I
> replied that if we were to do so in Debian, the work would be
> exponential, and that this is not what we should do: the bug in
> pyopenssl has been fixed (in a record time, I should also mention), and
> it is my opinion that there's no work required on my package that depend
> on python-openssl.

> Am I right that I should do nothing on my packages, or should we
> *really* modify about 54 source packages just to avoid a bug in one of
> the dependencies? What if we have a bug on a high profile package with
> hundreds of reverse dependencies?

My policy on my packages is to default to not updating any dependencies
for pure bugs in the other package.  Bugs in dependencies make packages
temporarily unusable all the time for all sorts of reasons.  If we added
version dependencies for all of them, we'd have an unmaintainable disaster
of tangled version restrictions.

The exception is when the bug is in stable and won't be fixed in stable,
if it causes serious upgrade issues that could result in apt giving up on
an upgrade instead of finding the correct solution, or if the bug breaks
the package in some invisible but dangerous way (data loss, for instance).
In those cases, I might consider a versioned dependency to as an aid.  But
I think it's something to use judiciously.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>