1 |
On Tue, Feb 03, 2004 at 05:30:19PM +0200 or thereabouts, Dan Armak wrote: |
2 |
> I don't understand this comment. The developers would still work against a cvs |
3 |
> tree that contains all the latest stable stuff (base + changes) so why would |
4 |
> there be a problem with deps that wasn't in the orig GLEP? |
5 |
|
6 |
Sorry -- I should have spelled this out a little more. |
7 |
|
8 |
One of Spider's points was that people may not want to update every quarter |
9 |
-- they might prefer an annual update cycle. We're facilitating this by |
10 |
guaranteeing ebuilds will be in the tree at least a year. However, if |
11 |
we're supporting distributions of the stable tree via tbz2s and |
12 |
security/bugfixes via rsync, then I can see a problem with some of the |
13 |
security/bugfixes requiring dependencies that aren't in some of the older |
14 |
trees. |
15 |
|
16 |
As a (purely hypothetical) example: |
17 |
|
18 |
The 2004.0 stable tree gets released and includes OpenSSL 0.9.6 |
19 |
|
20 |
...11 months passes by... |
21 |
|
22 |
A security vulnerability is found in gaim. The new gaim ebuild is added to |
23 |
the tree, but it depends on OpenSSL 0.9.7. Now anyone using 2004.0 is |
24 |
going to have problems. We could work around this by including OpenSSL |
25 |
0.9.7 in the security/update tree, but that also has a couple of problems: |
26 |
|
27 |
* how can we easily figure out that OpenSSL 0.9.7 needs to get in there in |
28 |
the first place. |
29 |
* It, in and of itself, isn't a security/bug fix update, yet anyone running |
30 |
the stable tree is going to get it as such the next time they sync their |
31 |
tree. |
32 |
|
33 |
--kurt |