[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: version number when packaging a new upstream release

Hi Raphael,

On Fri, Oct 07, 2016 at 09:11:15AM +0200, Raphael Hertzog wrote:
> Hi,
> 
> On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote:
> > > On Thu, 06 Oct 2016, Adrian Bunk wrote:
> > >...
> > > > Do you have any rationale why you think -1~deb7u1 would be better
> > > > than -0+deb7u1?
> > > 
> > > My preference goes for the former because it matches the logic of
> > > backported packages and thus does not introduce a new concept while
> > > -0+deb7u1 is not something we use in another context.
> > 
> > -0+deb7u1 is a concept already used in DSAs for exactly this purpose.
> 
> It's not always the case. Check out all the OpenJDK DSA, just like
> MySQL we import newer upstream releases:
> https://lists.debian.org/debian-security-announce/2016/msg00028.html
> https://tracker.debian.org/pkg/openjdk-7
> 
> So while it has been used it's not the only one in use in the context
> of the security team.
> 
> > I just found a good example how the versioning you are suggesting could 
> > cause real problems:
> 
> If you mix two versioning schemes for security updates in two releases,
> you're going to have problems, that's granted.
> 
> The point of this discussion is to find out on which of the two we should
> standardize on.
> 
> We should invite the security team in the discussion and then document the
> recommended versioning scheme.
> 
> I still continue to believe that -1~debXuY is enough and that -0+debXuY
> is not required and even awkward when it's really a backported version
> of something packaged in a newer release.
> 
> But in the end, whatever is picked, it's not a big deal. What is important
> is to record the result of the discussion in our LTS/security
> documentation and ideally in the developers reference.

-0+deb8u1 and -1~deb8u1 have "different meanings". Here an explanation
on the rought use how it's used for us, but I think the (S)RM as
usaually giving similar advice on the versioning when it comes to a
poroposed-update:

If just import a new upstream version on top of the previous
packaging, then we indicate this with a -0+deb8u1, which will sort as
well before any -1 in unstable. Examples for such uploads are the
already mentioned mysql-5.5, but as well php5 or mariadb-10.0.

If it's basicaly/roughtly a rebuild of the upper suite version, then
-1~deb8u1 will be similar to the bpo versions use and sort before the
upper suite version.

Hope this explains why on the different uses.

Regards,
Salvatore
Reply to: