[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PEAR-QA] Re: [PEAR-DEV] Re: [PEAR-QA] PHP License



On Tuesday 23 August 2005 09:34 pm, Justin Patrin wrote:
> On 8/23/05, Ian Eure <ieure@php.net> wrote:
> > On Tuesday 23 August 2005 05:46 pm, Joe Stump wrote:
> > > I agree. I never understood why we used the PHP license over, say,
> > > the BSD or LGPL (which both fit library level type code a lot better
> > > IMO). To have the license require distribution of PHP is a little
> > > odd. What I'm a tad more confused about is why anyone would maintain
> > > their packages through apt instead of pear.
> > >
> > > pear upgrade Package_Name
> > >
> > > - or -
> > >
> > > pear upgrade-all
> > >
> > > Translates about as well as "apt-get install php4-pear-package-name"
> > > I would think.
> >
> > - Consistency. If there were many packaging systems, the OS as a whole
> > would be an inconsistent mishmash.
> > - Security. Debian has a centralized security system, and using a
> > 3rd-party packaging system on a Debian box defeats that.
> > - Because Debian Stable should be Debian Stable. PEAR_FooBar 1.0.6 may
> > have a fix for a security issue or critical bug, but may break in
> > relation to 0.9.0b3 or 1.0.1, as shipped with the last Debian Stable.
> > Upgrading to PEAR_FooBar 1.0.6 is an unknown quantity, while you know
> > that your packages will only get BC fixes when upgrading with apt-get.
>
> And someone working in Debian is checking all PEAR packages for BC breaks?
>
For security updates, yes. Only the fix in question is backported, not the 
full set of changes.


> Come on now. PEAR packages adhere to BC rules. Any stable package *may
> not break BC*. If a new release breaks BC it's a bug and will be fixed
> either by the author or the QA team. I honestly don't see how a Debian
> maintainer is going to know about and deal with BC problems any better
> than the PEAR QA team.
>
I believe there have been several instances where these rules weren't 
followed. Also, there's the possibility for more subtle breakage. Consider 
that some functions work, but return notices from one stable version to 
another. Net_Curl is one example, and I know that QuickForm also does 
something similar, though I don't know if the change happened from a.b.c to 
a.b.c+1 or a+1.0.0.

While the calls may still work, the behavior isn't the same as before, and 
could easily cause problems, particularly when used in an XHTML site, where 
they could break a page's well-formedness. Backporting only the security fix 
avoids this problem.

Attachment: pgpYKLVoFZOK6.pgp
Description: PGP signature


Reply to: