[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About Jenkins in Debian



Hi,

Am 24.01.2016 um 16:54 schrieb 殷啟聰:
> Hi,
> 
> So if my understanding is right, Jenkins is highly likely to be
> removed from Debian. And the reason behind this is because the release
> cycle of Jenkins is way too short and upstream already provides .deb?

Upstream has a so called LTS Release Line. [1] Jenkins LTS releases are
supported for three months. They also provide fixes for a "limited
subset of plugins that work with the release line". That means we cannot
even assure that all plugins will be supported for a certain release line.

Three months is way too short for a stable release. Debian stable
releases are supported for at least _three years_ and Debian LTS is
supported for _five years_. Jenkins is regularly affected by security
issues. In order to comply with Debian's stable release guidelines,
security fixes must be backported and this requires time and people who
want to work on it. There are some rare exceptions like Iceweasel and
Chromium where new upstream releases are backported to stable. Jenkins
doesn't qualify for those.


> So this makes me think about what exactly should be packaged into
> Debian. There are not too many softwares providing .deb distributions
> in upstream, but what if some of the softwares whose packages are
> already in Debian starts to provide upstream .deb, will we still have
> the motivation to keep maintaining it? For example, Gradle does not
> have .deb in upstream, but SBT does, and Gradle indirectly depends on
> SBT, then should we package SBT into Debian as well, which even though
> means lots of work?

Most people package something for Debian because the software will be
better integrated into their systems and the quality standards are
higher in Debian. We don't remove Jenkins because upstream provides .deb
packages but because upstream doesn't support their LTS releases for
more than three months. If there are people who actively maintain
software, which includes fixing security bugs in stable releases, then
there would be no reason to remove software. Installing and using
unmaintained software from unstable on production systems with known
security vulnerabilities is of limited usefulness for most people.

> So what if there are some new packages that depends on libraries of
> Jenkins and someone wants to package it, what should he do?
> 
> By the way, I am not using Jenkins in daily life, I am simply curious. :)

He should maintain the libraries like any other package in Debian or
refrain from packaging it at all.

Regards,

Markus


[1] https://wiki.jenkins-ci.org/display/JENKINS/LTS+Release+Line



Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: