1 |
On 19/02/2004, at 5:36 PM, Eric Sammer wrote: |
2 |
> * Updating minor versions only within a release. Example: release |
3 |
> 2004.1 contains package-1.2.3 and will allow updates within |
4 |
> >=package-1.2 and <package-1.3 - Paraphrased suggestion by Stephen |
5 |
> White <steve@×××××××××××××××.au> - Note that this specifically states |
6 |
> that packges will change between frozen releases and even if in minor |
7 |
> versions only, behavior can (and will) change. This probably isn't |
8 |
> suitable for the current proposal. |
9 |
|
10 |
Please note that this: |
11 |
|
12 |
> * Security updates will always be pushed into the frozen tree between |
13 |
> releases so special flags such as --security-only would not be |
14 |
> required because any new packages would be security related. |
15 |
|
16 |
Supercedes the above. What I wanted was for the continued ability to |
17 |
provide updates after the tree is frozen, so these security updates |
18 |
could be pushed through. Whether these are minor version releases (eg, |
19 |
r1, r2, r3) or explicitly labelled security patches isn't important. |
20 |
|
21 |
> * Gentoo sponsored back porting isn't in the cards. We don't have the |
22 |
> dev-power to do so. If upstream maintainers backport security fixes in |
23 |
> their packages, they would (presumably) be released as security |
24 |
> updates (see above). |
25 |
|
26 |
Again, the structure of the solution should provide for being able to |
27 |
take advantage of other projects who do provide that dev-power (eg, |
28 |
Debian) for security backpatching. |
29 |
|
30 |
> So, further discussion in terms of features for this proposal is |
31 |
> invited. Again, please try and avoid implementation issues (i.e. the |
32 |
> command should be '--foo', 30 days vs. 31, cvs branches vs. tarballs, |
33 |
> etc.) and features that are about portage itself (database backends, |
34 |
> security only updates). |
35 |
|
36 |
The scope of this project is very limited, since any extensions really |
37 |
belong to portage-ng. So once the ability to tag out stable trees is |
38 |
available, that pretty much covers the most severe problem with using |
39 |
Gentoo in a production environment. |
40 |
|
41 |
In addition, developers really really should be encouraged to make |
42 |
their dependencies against the lowest possible versions of packages |
43 |
that will still work. I notice that many ebuilds have dependencies |
44 |
linked to the latest versions, which escalates into chain-of-dominos |
45 |
updates much more rapidly than needed. |
46 |
|
47 |
-- |
48 |
steve@×××××××××××××××.au |
49 |
|
50 |
CRICOS Provider Number 00123M |
51 |
------------------------------------------------ |
52 |
This email message is intended only for the addressee(s) |
53 |
and contains information that may be confidential and/or |
54 |
copyright. If you are not the intended recipient please |
55 |
notify the sender by reply email and immediately delete |
56 |
this email. Use, disclosure or reproduction of this email |
57 |
by anyone other than the intended recipient(s) is strictly |
58 |
prohibited. No representation is made that this email or |
59 |
any attachments are free of viruses. Virus scanning is |
60 |
recommended and is the responsibility of the recipient. |