Re: what to do with LTS-backports?

To: Holger Levsen <holger@layer-acht.org>
Cc: debian-lts@lists.debian.org, debian-backports@lists.debian.org
Subject: Re: what to do with LTS-backports?
From: Rhonda D'Vine <rhonda@deb.at>
Date: Thu, 19 May 2016 14:16:51 +0200
Message-id: <[🔎] 20160519121651.GA32391@anguilla.debian.or.at>
In-reply-to: <[🔎] 20160519114556.GA22212@layer-acht.org>
References: <[🔎] 20160519114556.GA22212@layer-acht.org>

    Hi,

* Holger Levsen <holger@layer-acht.org> [2016-05-19 13:45:56 CEST]:
> appearantly some maintainers don't want to support backports in
> wheezy-backports anymore, saying wheezy is oldstable now (und
> unsupported by Debian proper, "just" maintained by the Debian LTS team.)

 That's fine with me, I'm willing to pick up that work personally - as
long as the package in wheezy-backports is current with jessie.  What
I'm unwilling to pick up is packages that aren't up to date with what we
ship in jessie since a year now, having to update them where the
original backporter abandoned the package and doesn't seem to be
interested anymore in maintaining it:

 Looking at the stats, we have 327 out of 1040 [1] backported source
package which have a newer upstream version in jessie than what we have
in wheezy-backports, and an additional 175 packages [2] which have an
updated Debian revision only.  That's kinda *huge*, frankly spoken.

[1] <http://backports.debian.org/wheezy-backports/outdated/>
[2] <http://backports.debian.org/wheezy-backports/older/>

 I'm not so sure how to move on from that point, frankly spoken.
Removals are never something that sounds nice.

 But: I really don't see this as an LTS issue somehow.  wheezy-backports
are done from stable, and the changed source through patches there
should work/compile in wheezy-backports just the same.  *If* they are in
sync already with the version in jessie.  And like said, I am willing to
do that part.

 There is one area though I have troubles with, and that is
wheezy-backports-sloppy: Those packages come from stretch.  And the
further the releases divert there the more difficult it becomes to
maintain those packages.  This area really means a fair amount of
headache and a burden, and at least from that point of view I'm a bit
worried that the LTS related extending of the lifetime is too much to
carry for most.  If it weren't solely for wheezy-backports, I'd vote for
"yes, keep it during LTS time still".  If it were for
wheezy-backports-sloppy I'd rather in the "please rather not" team.
Personally speaking that is, not with my backports maintainer hat on.

> OTOH, having unsupported backports with known security vulnerabilities
> is bad. So an option would be to _close_ wheezy-backports _now_, also to
> communicate this issue to the users.

 I really would love to have the security tracker supporting the
backports overview again for that ...
https://security-tracker.debian.org/tracker/status/release/stable-backports
is empty - and I highly doubt that that's correct.

https://security-tracker.debian.org/tracker/status/release/oldstable-backports
has things listed (the only backports overview page that has anything,
at all ...), but the issue-pages don't list backports neither, like
https://security-tracker.debian.org/tracker/CVE-2015-7869

> Removing individual backports from wheezy-bpo is both error prone and
> manual busy work on the shoulders of the bpo admins, who wouldn't want
> to do this job.

 Sure, but we already need to do that every now and then when we find
out (by digging up or getting prodded about it) that packages are
unmaintained in a rather long time ...  What we would like is have
backporters be more active in communicating on reasons if there are
troubles with updating the backports and why they don't do it, rather
than having us have to first find out and second prod them for a
statement then ...

> (There is also the problem that some maintainers don't support their
> backports during the life time of stable, but that's a different problem
> IMO. Now we have the problem that backports need to be supported for up
> to 5 years instead of 3 too… this mail is about this 5y problem.)

 Sure, but the 5y problem isn't that big (for regular backports, only
for -sloppy) and if it weren't just that I'd be willing to carry that on
my own, too.  It's not as huge (besides -sloppy) as you seem to imply.

 Enjoy,
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los      |
Fühlst du dich hilflos, geh raus und hilf, los    | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los    |

Reply to:

Follow-Ups:
- Re: what to do with LTS-backports?
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- what to do with LTS-backports?
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: what to do with LTS-backports?
Next by Date: Re: No DLA for xen, librsvg, libidn?
Previous by thread: Re: what to do with LTS-backports?
Next by thread: Re: what to do with LTS-backports?
Index(es):
- Date
- Thread