| 1 |
On Tuesday 03 February 2004 17:29, Dan Armak wrote: |
| 2 |
> |
| 3 |
> I meant a scenario like this: |
| 4 |
> - foo-1 and mylib-1 are in the stable tree. |
| 5 |
> - Time passes and mylib-2 and foo-2 enter the main tree. |
| 6 |
> - One day exploits are found in foo; foo-2-r1 which contains the fixes is |
| 7 |
> added to the stable tree. It only depends on >=mylib-1, so mylib-2 isn't |
| 8 |
> added to the stable tree. |
| 9 |
> - The combination foo-2 + mylib-1 is buggy. But no-one ever tested it, |
| 10 |
> because foo-2 came out after mylib-2 and that's what everone tested it |
| 11 |
> with. So the bug will make its first appearence in the stable tree. |
| 12 |
> |
| 13 |
> This is an unlikely event but with a big enough tree with lots of |
| 14 |
> interdependencies it will happen occasionally. Similar things happen |
| 15 |
> sometimes in the main tree, and we have to change a dep to require the |
| 16 |
> latest version of a library, not because the library's new functionality or |
| 17 |
> interface is required, but because the new app version triggers bugs in the |
| 18 |
> old library version. |
| 19 |
> |
| 20 |
> (I'm reminded of the libxml2/libxslt vs. kde docs versioning story, though |
| 21 |
> that was somewhat different...) |
| 22 |
|
| 23 |
That's why I am in favor of backporting security fixes unless it is absolutely |
| 24 |
impossible. The big question is, can we pull that off? I don't know? |
| 25 |
|
| 26 |
For me a fixed tree means that it does not change unless. And in case a change |
| 27 |
is unavoidable, it changes as little as possible -> backporting security |
| 28 |
fixes. |
| 29 |
|
| 30 |
Paul |
| 31 |
|
| 32 |
-- |
| 33 |
Paul de Vrieze |
| 34 |
Gentoo Developer |
| 35 |
Mail: pauldv@g.o |
| 36 |
Homepage: http://www.devrieze.net |
Archives