Re: Release goal proposal: remove yada
On 2 August 2011 13:24, Ricardo Mones <mones@debian.org> wrote:
> From the dialog on the bug seems only Build-Depends are adjusted by the
> packages existing in the build environment, i.e., not arbitrary rewritting
> but a precise one. What has changed in this regard to make it serious?
Allow me to focus on this issue, because it sets yada apart from
debhelper, cdbs or packages without any helpers. I will CC the bug in
question.
Firstly, the scope of the rewriting is greater than merely the
Build-Depends field. The entire control file in the source package
(not just in the binary packages) is regenerated from debian/packages
during each build - indeed, so is debian/rules. Any manual
modifications to debian/control or debian/rules are likely to be
overwritten when 'debclean' is run.
Secondly, consider the case where yada is updated during the course of
a release cycle, and a package using yada is not rebuilt before the
release:
1. yada-0.55-1 is uploaded.
2. foo-0.1-1 is uploaded - Build-Depends: yada (>= 0.55)
3. yada-0.56-1 is uploaded.
4. Release happens.
5. Security bug is found in the 'foo' package.
Then the security update for 'foo' will be given a different
Build-Depends line from foo-0.1-1. If any other details of how
control or rules files are generated have changed in yada 0.56, then
these will also be applied to the security update.
This makes it difficult to produce a minimal diff for a security
update (or even an NMU in unstable) for a package using yada, and
increases the risk of unintentional changes. The same problems do not
occur with other methods of building packages, because the source
packages are not automatically modified.
Kind regards,
--
Tim Retout <diocles@debian.org>
Reply to: