[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)


On 29-08-2019 14:28, Raphael Hertzog wrote:
> (Note: pkg-security@tracker.d.o is not a valid email, dropped)
> Hi,
> On Thu, 29 Aug 2019, Holger Levsen wrote:
>>> In general, we (Debian) don't have a good answer to this problem and
>>> virtualbox is clearly a bad precedent. We really need to find a solution
>>> to this in concertation with the release managers.
>> so I've added them to this thread.
>> youtube-dl is in the same boat...

Wasn't Pirate already working on a solution? How is that faring? I know
it doesn't have all the properties you are seeking, but ...

> To kickstart the discussion, I can try to make a proposal.
> 1/ We tag such packages in some way (let's say a new field
>   "Backport-Only: yes")
> 2/ Those packages are considered like others for testing migration
>    but when britney accepts them, instead of adding them to "<testing-codename>"
>    it adds them to "<testing-codename>-backports". Obviously this requires
>    britney to consider the combination of both repositories when
>    considering migrations. And it will require changes to generate two
>    separate output files for dak.
>    The hardest part is ensuring that testing doesn't contain packages that
>    would depend on packages present only in the backports part. Not sure
>    we want to handle this directly within britney. It might be better to
>    have QA tools for this and report bugs as appropriate.
> The good thing is that those applications are then available from day 1 in
> stable-backports after the release.
> The backports rules would have to be tweaked a bit to accept backports
> coming out of "<testing>-backports". But all those aspects are a
> relatively minor detail IMO.

in the discussion that Pirate had with the backports masters, it was my
interpretation that they didn't like it.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: