| 1 |
On 19/02/2004, at 5:36 PM, Eric Sammer wrote: |
| 2 |
> * Updating minor versions only within a release. Example: release |
| 3 |
> 2004.1 contains package-1.2.3 and will allow updates within |
| 4 |
> >=package-1.2 and <package-1.3 - Paraphrased suggestion by Stephen |
| 5 |
> White <steve@×××××××××××××××.au> - Note that this specifically states |
| 6 |
> that packges will change between frozen releases and even if in minor |
| 7 |
> versions only, behavior can (and will) change. This probably isn't |
| 8 |
> suitable for the current proposal. |
| 9 |
|
| 10 |
Please note that this: |
| 11 |
|
| 12 |
> * Security updates will always be pushed into the frozen tree between |
| 13 |
> releases so special flags such as --security-only would not be |
| 14 |
> required because any new packages would be security related. |
| 15 |
|
| 16 |
Supercedes the above. What I wanted was for the continued ability to |
| 17 |
provide updates after the tree is frozen, so these security updates |
| 18 |
could be pushed through. Whether these are minor version releases (eg, |
| 19 |
r1, r2, r3) or explicitly labelled security patches isn't important. |
| 20 |
|
| 21 |
> * Gentoo sponsored back porting isn't in the cards. We don't have the |
| 22 |
> dev-power to do so. If upstream maintainers backport security fixes in |
| 23 |
> their packages, they would (presumably) be released as security |
| 24 |
> updates (see above). |
| 25 |
|
| 26 |
Again, the structure of the solution should provide for being able to |
| 27 |
take advantage of other projects who do provide that dev-power (eg, |
| 28 |
Debian) for security backpatching. |
| 29 |
|
| 30 |
> So, further discussion in terms of features for this proposal is |
| 31 |
> invited. Again, please try and avoid implementation issues (i.e. the |
| 32 |
> command should be '--foo', 30 days vs. 31, cvs branches vs. tarballs, |
| 33 |
> etc.) and features that are about portage itself (database backends, |
| 34 |
> security only updates). |
| 35 |
|
| 36 |
The scope of this project is very limited, since any extensions really |
| 37 |
belong to portage-ng. So once the ability to tag out stable trees is |
| 38 |
available, that pretty much covers the most severe problem with using |
| 39 |
Gentoo in a production environment. |
| 40 |
|
| 41 |
In addition, developers really really should be encouraged to make |
| 42 |
their dependencies against the lowest possible versions of packages |
| 43 |
that will still work. I notice that many ebuilds have dependencies |
| 44 |
linked to the latest versions, which escalates into chain-of-dominos |
| 45 |
updates much more rapidly than needed. |
| 46 |
|
| 47 |
-- |
| 48 |
steve@×××××××××××××××.au |
| 49 |
|
| 50 |
CRICOS Provider Number 00123M |
| 51 |
------------------------------------------------ |
| 52 |
This email message is intended only for the addressee(s) |
| 53 |
and contains information that may be confidential and/or |
| 54 |
copyright. If you are not the intended recipient please |
| 55 |
notify the sender by reply email and immediately delete |
| 56 |
this email. Use, disclosure or reproduction of this email |
| 57 |
by anyone other than the intended recipient(s) is strictly |
| 58 |
prohibited. No representation is made that this email or |
| 59 |
any attachments are free of viruses. Virus scanning is |
| 60 |
recommended and is the responsibility of the recipient. |
Archives