Re: version number when packaging a new upstream release
Hi,
On Thu, 06 Oct 2016, Adrian Bunk wrote:
> On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> >...
> > > Do you have any rationale why you think -1~deb7u1 would be better
> > > than -0+deb7u1?
> >
> > My preference goes for the former because it matches the logic of
> > backported packages and thus does not introduce a new concept while
> > -0+deb7u1 is not something we use in another context.
>
> -0+deb7u1 is a concept already used in DSAs for exactly this purpose.
It's not always the case. Check out all the OpenJDK DSA, just like
MySQL we import newer upstream releases:
https://lists.debian.org/debian-security-announce/2016/msg00028.html
https://tracker.debian.org/pkg/openjdk-7
So while it has been used it's not the only one in use in the context
of the security team.
> I just found a good example how the versioning you are suggesting could
> cause real problems:
If you mix two versioning schemes for security updates in two releases,
you're going to have problems, that's granted.
The point of this discussion is to find out on which of the two we should
standardize on.
We should invite the security team in the discussion and then document the
recommended versioning scheme.
I still continue to believe that -1~debXuY is enough and that -0+debXuY
is not required and even awkward when it's really a backported version
of something packaged in a newer release.
But in the end, whatever is picked, it's not a big deal. What is important
is to record the result of the discussion in our LTS/security
documentation and ideally in the developers reference.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: