[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

(Note: pkg-security@tracker.d.o is not a valid email, dropped)


On Thu, 29 Aug 2019, Holger Levsen wrote:
> > In general, we (Debian) don't have a good answer to this problem and
> > virtualbox is clearly a bad precedent. We really need to find a solution
> > to this in concertation with the release managers.
> so I've added them to this thread.
> youtube-dl is in the same boat...

To kickstart the discussion, I can try to make a proposal.

1/ We tag such packages in some way (let's say a new field
  "Backport-Only: yes")

2/ Those packages are considered like others for testing migration
   but when britney accepts them, instead of adding them to "<testing-codename>"
   it adds them to "<testing-codename>-backports". Obviously this requires
   britney to consider the combination of both repositories when
   considering migrations. And it will require changes to generate two
   separate output files for dak.

   The hardest part is ensuring that testing doesn't contain packages that
   would depend on packages present only in the backports part. Not sure
   we want to handle this directly within britney. It might be better to
   have QA tools for this and report bugs as appropriate.

The good thing is that those applications are then available from day 1 in
stable-backports after the release.

The backports rules would have to be tweaked a bit to accept backports
coming out of "<testing>-backports". But all those aspects are a
relatively minor detail IMO.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Attachment: signature.asc
Description: PGP signature

Reply to: