[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Making Source-Version binNMU-safe



Nathanael Nerode <neroden@twcny.rr.com> writes:

> The following patch for dpkg-dev is inspired by the comments by
> Steve Langasek in 
> http://lists.debian.org/debian-devel/2005/11/msg00005.html
> and the related thread, which seem to me clearly correct.
>
> The original problem is best described here:
> http://lists.debian.org/debian-devel/2005/10/msg01206.html
>
> This change is supposed to only affect situations with binNMUs.  I realized
> that the version number requirements for binNMUs vs. source NMUs
> and maintainer uploads are not actually in policy, which worried me;
> I sent a message to debian-policy.

It is covered in the developers reference:
http://www.us.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-binary-only-nmu

> Given that this actually changes the definition of Source-Version, a
> warning message should probably be sent to debian-devel-announce if this
> is adopted.  However, I think this will be correct the majority of the
> time Source-Version is used.  Only occasionally does a dependency actually
> need to be so strict that a binNMU breaks the relationship.  (This could
> happen in the case of a -dev package depending on a library package, in the
> subcase where the binNMU built the library against different libraries,
> however.)

Every dev package has a strict dependency on its library and for good
reason. When binNMUing a library with this patch the binNMUed -dev
would depend on the broken library and the recompiled library wouldn't
even be installable.

I think that this change, while still good, should be done in 2
steps. First add Binary-Version and get all dev packages (and other
known strict binary-version depends) to use it. When the majority has
done so only then start stripping the Source-Version.

> If you'd rather retain the old not-quite-accurate meaning of
> Source-Version and add something like Indep-Version, that would really
> be just as good, though perhaps slightly more confusing to developers of
> the future; the main point is to provide a standard binNMU-safe way
> of allowing exact versioned dependencies of arch:any packages on arch:all
> packages.  While providing the other meaning for those who need it.
>
> Anyway, I think either this patch, or the 'backward-compatible' version
> introducing Indep-Version and retaining the old meaning of Source-Version,
> is a good idea.  Thoughts?

$ dpkg --compare-versions "1.2-3.0.1" "<<" "1.2-3sarge1" || echo no 
no
$ dpkg --compare-versions "1.2-3+b1" "<<" "1.2-3sarge1" || echo no
no

The whole binNMU versioning (or security versioning) has to be
rethought. Neither the current nor the latest sbuild --make-binNMU
scheme (second line) works with security updates.

This would obviously affect this patch.

MfG
        Goswin



Reply to: