Re: version number when packaging a new upstream release
On Fri, Oct 07, 2016 at 09:11:15AM +0200, Raphael Hertzog wrote:
> On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > >...
> > > > Do you have any rationale why you think -1~deb7u1 would be better
> > > > than -0+deb7u1?
> > >
> > > My preference goes for the former because it matches the logic of
> > > backported packages and thus does not introduce a new concept while
> > > -0+deb7u1 is not something we use in another context.
> > -0+deb7u1 is a concept already used in DSAs for exactly this purpose.
> It's not always the case. Check out all the OpenJDK DSA, just like
> MySQL we import newer upstream releases:
> So while it has been used it's not the only one in use in the context
> of the security team.
> > I just found a good example how the versioning you are suggesting could
> > cause real problems:
> If you mix two versioning schemes for security updates in two releases,
> you're going to have problems, that's granted.
> The point of this discussion is to find out on which of the two we should
> standardize on.
> We should invite the security team in the discussion and then document the
> recommended versioning scheme.
> I still continue to believe that -1~debXuY is enough and that -0+debXuY
> is not required and even awkward when it's really a backported version
> of something packaged in a newer release.
> But in the end, whatever is picked, it's not a big deal. What is important
> is to record the result of the discussion in our LTS/security
> documentation and ideally in the developers reference.
-0+deb8u1 and -1~deb8u1 have "different meanings". Here an explanation
on the rought use how it's used for us, but I think the (S)RM as
usaually giving similar advice on the versioning when it comes to a
If just import a new upstream version on top of the previous
packaging, then we indicate this with a -0+deb8u1, which will sort as
well before any -1 in unstable. Examples for such uploads are the
already mentioned mysql-5.5, but as well php5 or mariadb-10.0.
If it's basicaly/roughtly a rebuild of the upper suite version, then
-1~deb8u1 will be similar to the bpo versions use and sort before the
upper suite version.
Hope this explains why on the different uses.