[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: couchdb stable

Hi,

On Mon, 17 May 2010, Sam Bisbee wrote:
> > If there are stability or security fixes that apply to the version in
> > stable then backporting those that are "important enough" to stable is
> > worth investigating.  Functionality updates are unlikely to be
> > appropriate for a stable update.
> >
> > > > A fix for CVE-2010-0009 in stable may well be appropriate, 
> 
> So, it sounds like the CVE fix would qualify for this, but I have no idea how
> the code is going to back port across 2 years of changes. And, like I said, I'm
> not sure I see the point; I don't mind doing the work, but I do mind wasting
> time (more below).

What is so difficult to understand that keeping the system of our stable
users secure is not wasting time?

If you make this remark, it's possibly because you don't believe that
anyone is using the version in stable. In that case, maybe you (or the
former maintainer) should not have let this version reach lenny and keep
it in unstable only until the software was sufficiently usable and worth
to be supported.

Note that you also have the possibility to provide a backport of a more
recent version in backports.debian.org.

> > Unfortunately, it's not just a case of the size of the diff.  One of the
> > reasons we generally don't include new upstream releases in stable is
> > that they often introduce functionality changes which may have unforseen
> > effects, particularly when paired with other software in stable.
> 
> Well, it doesn't appear that we'll impact any other packages as nothing depends
> on us in lenny. 

It's not only a matter of affecting other packages, it's a matter of
impacting users of couchdb! People running stable routinely upgrades
packages non-interactively and don't expect to have anything to do to keep
all their stuff working. Such a major upgrade is unlikely to keep their
couchdb database and the code interacting with it working without any
intervention.

> As for the other breaking changes, my initial reaction is that it's okay. It's
> not even that <0.11.0 flew the beta flag or that CouchDB as a whole is under

That's not okay. The promise we make when we release a stable version of
any of our packages is not the same than any promise upstream can make.

> I'm not asking for constant pushes to stable or anything, but I'm considering
> stability, security fixes, and the usefulness of stable - if people don't use
> stable because of "no" features and it not being, well, stable, then why do we
> have it?

Why was it packaged in unstable and not in experimental at that time then?
Or why was no RC bug opened to avoid it going into stable?

Cheers,
-- 
Raphaël Hertzog

Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/
My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/
Reply to: