[Mageia-dev] Proposal for backport process and policy

andre999 andr55 at laposte.net
Wed Jul 27 03:07:09 CEST 2011


Samuel Verschelde a écrit :
> Le mardi 26 juillet 2011 07:56:36, blind Pete a écrit :
>> on Tue, 26 Jul 2011 08:34
>> in the Usenet newsgroup gmane.linux.mageia.devel
>> Samuel Verschelde wrote:
>>
>> [snip]
>>
>>> *** Old backports ***
>>> Remove old backports when newer ones are submitted
>>> - otherwise we let people use old bugged or plagged with security issues
>>> packages, when they don't necessarily know that there are problems with
>>> them - simpler choice : users have to choose between the version in
>>> updates and the one in backports, not more
>>> - less space on mirrors (fear wesnoth and vegastrike multiple backports
>>> !)
>>>
>>> Thank you for reading.
>>>
>>>   Best regards,
>>>
>>> Samuel Verschelde
>>
>> It is theoretically possible that there could be multiple versions with
>> bug fixes and feature enhancements with no known security problems in any
>> of them.  FireFox appears to be almost going down that path.  I think
>> that FF 5 is just FF 4.0.3 with a silly name - please correct me if I am
>> wrong - and 5 should obsolete 4.  But I can imagine several versions
>> existing during the life of a LTS release.
>>
>> The deletion criteria should be, "there is a vulnerability that that is
>> not going to be fixed".  That is usually, but not always the same as,
>> "there is a new version".
>
> Are you going to check every existing backport for vulnerabilities so that we
> can choose which versions to delete ? If not, I don't think this is realistic
> to support 5 versions of the same package at the same time. Let's go with the
> simpler approach.

I can see the point of not keeping multiple packports of larger packages such 
as ff.
And the point of keeping things simpler.

However, often a newer version of a package drops/changes features of older 
versions, so it really does makes sense to keep the older version available, 
for fallback.  This often applies to very small optional modules of some 
application.
(On my system there is at least one very old optional module for a package that 
I keep for that reason.)

So my suggestion : for smaller packages, say not more than about 1 M or 5 M, 
(where size doesn't present a problem), we keep multiple backports as long as 
there are no known security issues.

> Best regards
>
> Samuel Verschelde

-- 
André


More information about the Mageia-dev mailing list