Re: maven2 for Debian
On Mon, Mar 05, 2007 at 11:38:06AM -0800, firstname.lastname@example.org wrote:
> Quoting Michael Koch <email@example.com>:
> >>I dont think this can be the only option. Two very different version
> >>of a library can still be very stable and secure and useful for
> >>different programs. Is there any chance that this approach is being
> >I dont think so. Every duplicated library can create duplicated work for
> >the Debian security work. Consider some artificial java library which
> >handles URLs and their content as an example. Due to a small bug in URL
> >handling this library allows access to system restricted files. This
> >library is now in 3 different versions in Debian. In a stable Debian
> >release the Debian security team has to fix, test, upload 3 libraries
> >instead of the only one we normally have in the archive. Think of a
> >library that is 10 or 20 times in the archive. Debian is a free-time
> >project. Even the security team does everything in their free-time. We
> >should not put more burden on them then really needed.
> I understand that and I agree. However doesn't the change of library
> invalidate the upstream QA process that includes security and
> potentially is more extensive than the Debian one (at least it should
> be). If so .. how do you weigh the pros and cons? I think multiple
> versions of a library is sometimes necessary but should be limited to
> where it is necessary.
The problem with this is that upstream cant fix bugs in existing
releases. They need to do a new release.
The problem with new releases is that they not only contain bugfixes,
they contain new features with new bugs and even bugfixes can contain
new bugs. Debian stable contains a given set of features. If we find a
bug in package in it we weigh out carefully if Debian wants to include a
fix for the problem. Normally only security bugs and important bugs
(like data loss) get fixed. This is normally done by extracting the
needed patches from newer upstream releases and including the patch on
top of the package from stable.
Upstream wants its users always use the newest a release. If a bug is
found and fixed they just point the users to the new upstream version.
Easy job. But thats totally different from a distributions point of
.''`. | Michael Koch <firstname.lastname@example.org>
: :' : | Free Java Developer <http://www.classpath.org>
`. `' |
`- | 1024D/BAC5 4B28 D436 95E6 F2E0 BD11 5923 A008 2763 483B