Re: new kubernetes packaging

To: debian-devel@lists.debian.org
Subject: Re: new kubernetes packaging
From: Russ Allbery <rra@debian.org>
Date: Tue, 24 Mar 2020 15:14:02 -0700
Message-id: <[🔎] 87wo79pfit.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 87lfnpv279.fsf@iris.silentflame.com> (Sean Whitton's message of "Tue, 24 Mar 2020 15:05:14 -0700")
References: <[🔎] 6621155.inLKrcisiX@deblab> <[🔎] 87k13attg9.fsf@iris.silentflame.com> <[🔎] CAGsaWmP4O3ZqbbQRGF3Z076Aod=Y1Gd_QDWT+HqQrzYu+02E-w@mail.gmail.com> <[🔎] 20200324203716.kzypgt33y3n47v4y@yuggoth.org> <[🔎] 87lfnpv279.fsf@iris.silentflame.com>

Sean Whitton <spwhitton@spwhitton.name> writes:

> Thank you for your e-mail.  I agree with you that security support is
> the most pressing reason to avoid piles of vendored code, and you make
> an interesting argument regarding how it can be difficult to provide
> security fixes if our refusal to use vendored code means we lag too far
> behind upstream.

> I am not sure, however, that your argument applies to security updates
> to our stable releases.  These updates are almost always a matter of
> backporting small fixes, rather than updating to new upstream releases.
> And for backported fixes, vendoring makes things much harder.

I think this calculus is not entirely obvious.

What you say is true if the library is used by multiple applications in
Debian (although it's still not as good of a story with Go as it is for
C).  We can backport a patch to that one library, and then rebuild the
applications that incorporate it.

However, if a library exists in Debian solely because it is a dependency
of some sprawling application and isn't used by other things, it may be
easier to do a security update if it's vendored.  There are, at the least,
fewer packages to rebuild, and the testing story is slightly more
straightforward.

Possibly more significantly is how the flow of security advisories work.
If the advisory is likely to come from Kubernetes and their security fix
release is a point release update to their package including the vendored
modules, we can potentially adopt the "sane upstream stable point release"
policy and just update stable to their point release.  (Kubernetes does
maintain long-lived stable branches, although I don't know how stringent
they are about what changes they're willing to take in the stable
branches.)  In this case, we create a bit more security work by separately
packaging the dependencies, since we now have to trace down the package
that corresponds to a Kubernetes security advisory and update it.

This of course doesn't apply if the individual libraries are releasing
their own security advisories.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: new kubernetes packaging
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: new kubernetes packaging
  - From: Simon McVittie <smcv@debian.org>

References:
- What to do when DD considers policy to be optional? [kubernetes]
  - From: Dmitry Smirnov <onlyjob@debian.org>
- Re: What to do when DD considers policy to be optional? [kubernetes]
  - From: Sean Whitton <spwhitton@spwhitton.name>
- Re: What to do when DD considers policy to be optional? [kubernetes]
  - From: Janos LENART <ocsi@debian.org>
- Re: What to do when DD considers policy to be optional? [kubernetes]
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: new kubernetes packaging
  - From: Sean Whitton <spwhitton@spwhitton.name>

Prev by Date: Re: new kubernetes packaging
Next by Date: Re: new kubernetes packaging
Previous by thread: Re: new kubernetes packaging
Next by thread: Re: new kubernetes packaging
Index(es):
- Date
- Thread