Re: please use release tarballs :-)

To: debian-qt-kde@lists.debian.org
Subject: Re: please use release tarballs :-)
From: Chris Cheney <ccheney@cheney.cx>
Date: Tue, 2 Sep 2003 17:00:51 -0500
Message-id: <[🔎] 20030902220051.GP4112@cheney.cx>
Mail-followup-to: debian-qt-kde@lists.debian.org
In-reply-to: <[🔎] 200309022310.00392.nolden@kde.org>
References: <[🔎] 200309022310.00392.nolden@kde.org>

On Tue, Sep 02, 2003 at 11:09:55PM +0200, Ralf Nolden wrote:
Content-Description: signed data
> Hi,
> 
> FYI, while communicating with Matt Zimmerman a couple of weeks back on 
> security issues for KDE (that the woody debs on kde.org have those fixed as 
> well - Martin Schulze included that info while he was doing that) we were 
> discussing things like that the KDE packages in sid are made from CVS 
> checkouts rather than from the original release tarballs.  Matt would prefer 
> to get them build from the release tarballs with patchsets against CVS if you 
> need them - however, this is none of my business so you might want to check 
> with Matt how to proceed with your next upload as that's probably the last 
> chance to do it the way the security team would like to have things done for 
> sarge.

For one thing, we always need the updates from branch, KDE is
notoriously buggy, just look at the bug list sometime ;). However, the
orig.tar.gz in 99% of the cases is the KDE_3_1_X_RELEASE export minus all
the autocrap and CVS dir crap that upstream ships in their tarballs. If
debian f*cking supported decent change support, not just text diff then
this could be 100% the case. Sometimes binary files change (eg png's) and
in those cases I have to stuff them in orig.tar.gz since going through the
uuencode/etc process is a REALLY BIG PITA. The resulting diff.gz that is
built for uploads includes KDE_3_1_BRANCH (minus binary stuff) since the
last release plus the autocrap.  A new security release shouldn't be very
hard to do for KDE 3 since you would just need to do a current
KDE_3_1_BRANCH export and build it.

I will never ship pristine upstream tarballs due to the CVS dir issue
which Debian officially doesn't want either... so its a no win situation,
someone in Debian will always be bitching.

> I know making patchsets for every change requires a lot of time and effort but
> you should seriously think about doing it; it will ensure more quality 
> control and give the security team a better base in case they will receive 
> security patches from KDE - again this is my personal opinion, I'm not a 
> debian developer yet that I could do this on my own but I would be willing to 
> help there.

In future releases I can provide the diff.gz for security releases if
wanted.  I didn't provide them on 2.2 releases since I didn't maintain
KDE during that time (not really anyway) and the build system was a mess,
etc.

Chris

BTW - I make it a habit to never fix things directly in the diff.gz, if
needed I make debian specific changes and then create diffs for them in
the debian/patches dir.

Reply to:

Follow-Ups:
- Re: please use release tarballs :-)
  - From: Ralf Nolden <nolden@kde.org>

References:
- please use release tarballs :-)
  - From: Ralf Nolden <nolden@kde.org>

Prev by Date: please use release tarballs :-)
Next by Date: Re: please use release tarballs :-)
Previous by thread: please use release tarballs :-)
Next by thread: Re: please use release tarballs :-)
Index(es):
- Date
- Thread