| 1 |
On Tuesday 03 February 2004 18:05, Kurt Lieber wrote: |
| 2 |
> On Tue, Feb 03, 2004 at 05:06:01PM +0200 or thereabouts, Dan Armak wrote: |
| 3 |
> > A bigger inconvinience is that every developer will have to maintain a |
| 4 |
> > stable tree system image (or real system) to test any off-cycle updates |
| 5 |
> > he may have to do, often hurrying because of a major vulnerability |
| 6 |
> > already published. will that be required? Is there a way around it? |
| 7 |
> |
| 8 |
> There should be *very* few cases where this happens. For the most part, |
| 9 |
> devs will only be committing things off-cycle to the stable tree that are |
| 10 |
> already in the main tree. For example: Another half-dozen exploits are |
| 11 |
> found in gaim. The gaim herd/maintainer fixes up the new ebuild and |
| 12 |
> commits it first to the main tree (generally ~masked) and then to the |
| 13 |
> stable tree (probably as ~stable). |
| 14 |
> |
| 15 |
> The only time where I can see a problem is when there is an ebuild still in |
| 16 |
> the stable tree that no longer exists in the main tree. However, by then, |
| 17 |
> I would hope all major/critical bugs have been worked out of it, so only |
| 18 |
> security issues would be a problem. |
| 19 |
|
| 20 |
I meant a scenario like this: |
| 21 |
- foo-1 and mylib-1 are in the stable tree. |
| 22 |
- Time passes and mylib-2 and foo-2 enter the main tree. |
| 23 |
- One day exploits are found in foo; foo-2-r1 which contains the fixes is |
| 24 |
added to the stable tree. It only depends on >=mylib-1, so mylib-2 isn't |
| 25 |
added to the stable tree. |
| 26 |
- The combination foo-2 + mylib-1 is buggy. But no-one ever tested it, because |
| 27 |
foo-2 came out after mylib-2 and that's what everone tested it with. So the |
| 28 |
bug will make its first appearence in the stable tree. |
| 29 |
|
| 30 |
This is an unlikely event but with a big enough tree with lots of |
| 31 |
interdependencies it will happen occasionally. Similar things happen |
| 32 |
sometimes in the main tree, and we have to change a dep to require the latest |
| 33 |
version of a library, not because the library's new functionality or |
| 34 |
interface is required, but because the new app version triggers bugs in the |
| 35 |
old library version. |
| 36 |
|
| 37 |
(I'm reminded of the libxml2/libxslt vs. kde docs versioning story, though |
| 38 |
that was somewhat different...) |
| 39 |
|
| 40 |
-- |
| 41 |
Dan Armak |
| 42 |
Gentoo Linux developer (KDE) |
| 43 |
Matan, Israel |
| 44 |
Public GPG key: http://dev.gentoo.org/~danarmak/danarmak-gpg-public.key |
| 45 |
Fingerprint: DD70 DBF9 E3D4 6CB9 2FDD 0069 508D 9143 8D5F 8951 |
Archives