| 1 |
On Tue, Feb 03, 2004 at 05:30:19PM +0200 or thereabouts, Dan Armak wrote: |
| 2 |
> I don't understand this comment. The developers would still work against a cvs |
| 3 |
> tree that contains all the latest stable stuff (base + changes) so why would |
| 4 |
> there be a problem with deps that wasn't in the orig GLEP? |
| 5 |
|
| 6 |
Sorry -- I should have spelled this out a little more. |
| 7 |
|
| 8 |
One of Spider's points was that people may not want to update every quarter |
| 9 |
-- they might prefer an annual update cycle. We're facilitating this by |
| 10 |
guaranteeing ebuilds will be in the tree at least a year. However, if |
| 11 |
we're supporting distributions of the stable tree via tbz2s and |
| 12 |
security/bugfixes via rsync, then I can see a problem with some of the |
| 13 |
security/bugfixes requiring dependencies that aren't in some of the older |
| 14 |
trees. |
| 15 |
|
| 16 |
As a (purely hypothetical) example: |
| 17 |
|
| 18 |
The 2004.0 stable tree gets released and includes OpenSSL 0.9.6 |
| 19 |
|
| 20 |
...11 months passes by... |
| 21 |
|
| 22 |
A security vulnerability is found in gaim. The new gaim ebuild is added to |
| 23 |
the tree, but it depends on OpenSSL 0.9.7. Now anyone using 2004.0 is |
| 24 |
going to have problems. We could work around this by including OpenSSL |
| 25 |
0.9.7 in the security/update tree, but that also has a couple of problems: |
| 26 |
|
| 27 |
* how can we easily figure out that OpenSSL 0.9.7 needs to get in there in |
| 28 |
the first place. |
| 29 |
* It, in and of itself, isn't a security/bug fix update, yet anyone running |
| 30 |
the stable tree is going to get it as such the next time they sync their |
| 31 |
tree. |
| 32 |
|
| 33 |
--kurt |
Archives