Hi On 29-08-2019 14:28, Raphael Hertzog wrote: > (Note: pkg-security@tracker.d.o is not a valid email, dropped) > > Hi, > > On Thu, 29 Aug 2019, Holger Levsen wrote: >>> In general, we (Debian) don't have a good answer to this problem and >>> virtualbox is clearly a bad precedent. We really need to find a solution >>> to this in concertation with the release managers. >> >> so I've added them to this thread. >> >> youtube-dl is in the same boat... Wasn't Pirate already working on a solution? How is that faring? I know it doesn't have all the properties you are seeking, but ... > To kickstart the discussion, I can try to make a proposal. > > 1/ We tag such packages in some way (let's say a new field > "Backport-Only: yes") > > 2/ Those packages are considered like others for testing migration > but when britney accepts them, instead of adding them to "<testing-codename>" > it adds them to "<testing-codename>-backports". Obviously this requires > britney to consider the combination of both repositories when > considering migrations. And it will require changes to generate two > separate output files for dak. > > The hardest part is ensuring that testing doesn't contain packages that > would depend on packages present only in the backports part. Not sure > we want to handle this directly within britney. It might be better to > have QA tools for this and report bugs as appropriate. > > The good thing is that those applications are then available from day 1 in > stable-backports after the release. > > The backports rules would have to be tweaked a bit to accept backports > coming out of "<testing>-backports". But all those aspects are a > relatively minor detail IMO. in the discussion that Pirate had with the backports masters, it was my interpretation that they didn't like it. Paul
Attachment:
signature.asc
Description: OpenPGP digital signature