(Note: pkg-security@tracker.d.o is not a valid email, dropped) Hi, On Thu, 29 Aug 2019, Holger Levsen wrote: > > In general, we (Debian) don't have a good answer to this problem and > > virtualbox is clearly a bad precedent. We really need to find a solution > > to this in concertation with the release managers. > > so I've added them to this thread. > > youtube-dl is in the same boat... To kickstart the discussion, I can try to make a proposal. 1/ We tag such packages in some way (let's say a new field "Backport-Only: yes") 2/ Those packages are considered like others for testing migration but when britney accepts them, instead of adding them to "<testing-codename>" it adds them to "<testing-codename>-backports". Obviously this requires britney to consider the combination of both repositories when considering migrations. And it will require changes to generate two separate output files for dak. The hardest part is ensuring that testing doesn't contain packages that would depend on packages present only in the backports part. Not sure we want to handle this directly within britney. It might be better to have QA tools for this and report bugs as appropriate. The good thing is that those applications are then available from day 1 in stable-backports after the release. The backports rules would have to be tweaked a bit to accept backports coming out of "<testing>-backports". But all those aspects are a relatively minor detail IMO. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Attachment:
signature.asc
Description: PGP signature