On Mittwoch, 3. September 2003 00:00, Chris Cheney wrote: > On Tue, Sep 02, 2003 at 11:09:55PM +0200, Ralf Nolden wrote: > Content-Description: signed data > > > Hi, > > > > FYI, while communicating with Matt Zimmerman a couple of weeks back on > > security issues for KDE (that the woody debs on kde.org have those fixed > > as well - Martin Schulze included that info while he was doing that) we > > were discussing things like that the KDE packages in sid are made from > > CVS checkouts rather than from the original release tarballs. Matt would > > prefer to get them build from the release tarballs with patchsets against > > CVS if you need them - however, this is none of my business so you might > > want to check with Matt how to proceed with your next upload as that's > > probably the last chance to do it the way the security team would like to > > have things done for sarge. > > For one thing, we always need the updates from branch, KDE is > notoriously buggy, just look at the bug list sometime ;). However, the > orig.tar.gz in 99% of the cases is the KDE_3_1_X_RELEASE export minus all > the autocrap and CVS dir crap that upstream ships in their tarballs. If > debian f*cking supported decent change support, not just text diff then > this could be 100% the case. Sometimes binary files change (eg png's) and > in those cases I have to stuff them in orig.tar.gz since going through the > uuencode/etc process is a REALLY BIG PITA. The resulting diff.gz that is I know that also. The java stuff contains binaries as well, so this was kind of hard to track down if you update from the branch. At least I try to use the release tarballs in my woody builds which worked quite ok for 3.1.3 and I guess 3.1.4 will be smooth as well. I wonder why the CVS dirs are not supported though; they contain the release tag and even if you'd update from CVS or use the branch the security team could track down the information by the revision number that your orig.tar.gz would ship in the CVS dirs. > > I will never ship pristine upstream tarballs due to the CVS dir issue > which Debian officially doesn't want either... so its a no win situation, > someone in Debian will always be bitching. I know :-( > > Chris > > BTW - I make it a habit to never fix things directly in the diff.gz, if > needed I make debian specific changes and then create diffs for them in > the debian/patches dir. That's what I meant. -- We're not a company, we just produce better code at less costs. -------------------------------------------------------------------- Ralf Nolden nolden@kde.org The K Desktop Environment The KDevelop Project http://www.kde.org http://www.kdevelop.org
Attachment:
pgplcXE0iQjwx.pgp
Description: signature